我怎样才能允许一个组承担一个角色? [英] How can I allow a Group to assume a Role?
问题描述
如何允许组的所有成员在 AWS IAM 中担任角色?
How can I allow all members of a Group to assume a Role in AWS IAM?
我尝试使用以下语句,但如 AWS IAM 中所述主体元素,一个组不能是主体.
I tried Using the following statement but as specified in AWS IAM Principal Element, a Group can not be a Principal.
我想实现如下目标:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::***:group/developer"
},
"Action": "sts:AssumeRole"
}
]
}
这个想法是 group/developer
组的所有成员都应该能够承担这个角色.目的是让我不必单独指定组中的每个成员.
The idea is that all members of the group group/developer
should be able to assume the role. The objective is that I should be saved from having to specify each member in a group individually.
有没有办法做到这一点?
Is there a way to achieve this?
推荐答案
将策略附加到组,授予对所需角色调用 sts:AssumeRole
的权限:
Attach a policy to the Group that grants permission to call sts:AssumeRole
on the desired Role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "123",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::123456789012:role/desired-role"
]
}
]
}
另外,附上关于角色的信任政策.示例策略(下方)信任帐户中的任何用户,但他们还需要 sts:AssumeRole
权限(上方)来承担该角色.
Also, attach a Trust Policy on the Role. The sample policy (below) trusts any user in the account, but they would also need sts:AssumeRole
permissions (above) to assume the role.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}
这篇关于我怎样才能允许一个组承担一个角色?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!