如何获得开发人员创建的EC2的访问权限? [英] How do I get access to the EC2 my developer has created?
问题描述
我的开发人员已经在AWS上创建了EC2实例,我希望能够通过自己的仪表板访问它.
My developer has created an EC2 instance on AWS and I want to be able to access it via my own dashboard.
我所做的是:
- 作为root用户,我为我和他创建了一个IAM帐户,并将我们都分配给一个名为PowerUsers的组.
- 我创建了一个组织单位并将其帐户添加到其中
当他进入自己的EC2仪表板时,他看到了自己创建的实例.但是,当我转到EC2仪表板时,什么也看不到.我们都选择了正确的区域.
When he goes to his EC2 dashboard, he sees his created instances. But when I go to my EC2 dashboard, I see nothing. We both selected the correct region.
我希望有人可以在这里为我们提供帮助,我似乎无法从AWS文档中找到任何明智的选择.
I hope someone can help us out here, I can't seem to get any wiser from the AWS documentation.
推荐答案
tl; dr 在视觉访问和技术访问之间存在区别.可以通过IAM角色和权限等获得技术支持.无法进行视觉访问,而不是通过其他帐户在AWS控制台中进行.
tl;dr there is a difference between visual access and technical access. Technical is possible, via IAM roles and permissions, etc. Visual access is not possible, not in the AWS console from a different account.
通常,您看不到有权访问的其他帐户的资源.这根本不是AWS/IAM或基本上任何复杂权限系统的工作方式.
Generally you do not see resources from other accounts that you have access to. That is simply not how AWS / IAM or basically any complex permission system works.
与S3存储桶相同,您无法在S3控制台中看到有权访问的S3存储桶,不是所有人共享的存储桶,也没有明确授予您访问权限的存储桶.您只会看到自己/帐户实际拥有的存储分区.
Same thing for S3 buckets, you cannot see S3 buckets you have access to in your S3 console, not those that are public to everyone and not those that you have explicitly been granted permission to. You only ever see the buckets that you / your account actually own(s).
从技术角度来看,这样做的原因非常简单:AWS根本不知道您可以访问哪个存储桶/EC2实例.它知道您的权限,以及是否要访问特定资源,AWS可以检查该权限是否允许您访问它,但不能反过来.
The reason for that from a technical perspective is really simple: AWS simply does not know which buckets / EC2 instance you can access. It knows your permissions and if you want to access a specific resource AWS can check if the permissions let you access it but not the other way around.
IAM具有可以基于IP,一天中的时间,VPC等授予权限的权限.这使得显示您现在可以访问 now 的内容成为不可能且没有真正意义,因为在10秒钟内或从10秒钟开始不同的网络可能根本看不到它.
IAM has permission that can grant permissions based on IP, time of day, VPC, etc. That makes it impossible and not really meaningful to display what you can access now because in 10 second or from a different network it might be that you cannot see it at all.
让我根据个人经验告诉您,目前我自己建立自己:如果您建立许可系统,则其目的是回答我可以X做"吗?但是列出所有X是一个非常不同的故事,IAM无法回答它,而且我还没有遇到一个可以回答它的权限系统,同时它具有复杂的权限结构并且非常有效.似乎您无法同时具有效率,复杂性和反向查找/列表.
Let me tell you from personal experience and currently building one myself: If you build a permission system it is built to answer "can I do X" but listing all X is a VERY different story, IAM cannot answer it and I have not come across a permission system that can answer it while at the same time having a complex permission structure AND being efficient. Seems like you cannot have efficiency, complexity and reverse lookup / list at the same time.
请注意,您仍然有权访问该资源.例如.当操纵浏览器URL直接访问资源时,即使您没有登录到拥有的帐户,您也可以查看它,但此时您正在询问我可以X"吗?(X =查看资源")和 即可轻松回答.您只能列出资源.
Note that you still have access to the resource. E.g. when manipulating the browser URL to directly access the resource you can view it even though you are not logged into the owning account but at that point you are asking "can I do X" (X = "view resource") and that can be easily answered. You only cannot list the resources.
第二个注意事项:您看到的某些列出的资源以及您的帐户拥有的资源仍然无法访问,因为对于您当前的角色可能存在明确的IAM Deny 策略,该策略仅在交互时生效资源.
Second note: some of the listed resources you see and that your account owns you still cannot access because there might be an explicit IAM Deny policy for your current role in place that only takes effect when interacting with the resource.
这篇关于如何获得开发人员创建的EC2的访问权限?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
