AWS:限制不同IAM用户可以将哪些IAM角色附加到EC2实例

我想弄清楚这是否可能。我有两个IAM用户。我希望每个人都能够启动/停止同一个EC2实例，但让每个IAM用户能够将不同的IAM角色附加到这个EC2实例。换言之，user1应该仅能够将role1附加到此ec2实例，而user2应该仅

在启动之前，我使用aws ec2 associate-iam-instance-profile命令将IAM配置文件附加到EC2实例，然后在关闭配置文件后分离它。我希望每个IAM用户只能将特定的IAM角色附加到这一个EC2实例。

这可能吗？有什么想法或例子吗？非常感谢。

以下适用于两个用户的IAM策略应该足够了：

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:AssociateIamInstanceProfile",
"Resource": "<arn-of-the-instance>"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::xxxx:role/<role-name>"
}
]
}

上面只允许将一个特定角色和AssociateIamInstanceProfile传递给一个特定实例。

但是，这不包括从实例中分离纵断面。

这是对我有效的解决方案(感谢Marcin的正确提示(。

我有两个IAM用户：deploy-staging和deploy-production
我有一个EC2实例，它可以部署到临时环境或生产环境，这取决于它所承担的IAM角色
deploy-stagingIAM用户附加了以下IAM策略。此策略将允许此用户启动/停止用于将代码部署到暂存的EC2实例，并将正确的IAM角色(deploy-role-staging(附加/分离到该EC2实例上，以便它具有部署到暂存的正确权限这是此用户能够附加到此EC2实例的唯一IAM角色

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:DisassociateIamInstanceProfile",
"ec2:ModifySecurityGroupRules",
"ec2:StopInstances",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": [
"arn:aws:ec2:*:account-id:security-group/sg-xxxxxxxxxxxxxx",
"arn:aws:ec2:us-east-1:account-id:instance/i-xxxxxxxxxxxxxx",
"arn:aws:ec2:*:account-id:security-group-rule/sgr-xxxxxxxxxxxxxx"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeIamInstanceProfileAssociations"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::account-id:role/deploy-role-staging"
}
]
}

deploy-productionIAM用户附加了以下IAM策略。此策略将允许此用户启动/停止用于将代码部署到生产的EC2实例，并将正确的IAM角色(deploy-role-production(附加/分离到该EC2实例上，以便它具有部署到生产的正确权限这是此用户能够附加到此EC2实例的唯一IAM角色

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:DisassociateIamInstanceProfile",
"ec2:ModifySecurityGroupRules",
"ec2:StopInstances",
"ec2:AssociateIamInstanceProfile",
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": [
"arn:aws:ec2:*:account-id:security-group/sg-xxxxxxxxxxxxxx",
"arn:aws:ec2:us-east-1:account-id:instance/i-xxxxxxxxxxxxxx",
"arn:aws:ec2:*:account-id:security-group-rule/sgr-xxxxxxxxxxxxxx"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeIamInstanceProfileAssociations"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::account-id:role/deploy-role-production"
}
]
}

deploy-role-stagingIAM角色附加了一些策略，允许它更新用于暂存的S3存储桶和用于暂存的Cloudfront分发

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"cloudfront:GetInvalidation",
"cloudfront:CreateInvalidation"
],
"Resource": [
"arn:aws:cloudfront::account-id:distribution/XXXXXXXXXXXXX"
]
}
]
}

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:ListBucket",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::stagingXXX.example.com",
"arn:aws:s3:::stagingXXX.example.com/*"
]
}
]
}

deploy-role-productionIAM角色具有附加的策略，允许其更新生产的S3存储桶和生产的Cloudfront分发

They're the same as for staging, except the ID of Cloudfront distribution and the S3 bucket names are different.

总结：每个用户只能让EC2实例承担特定的角色，从而使该EC2实例可以访问不同的资源。

不要忘记编写代码来实际启动/停止EC2实例，使用以下CLI命令示例(通过/bin/bash(连接/分离IAM角色：

# Get the current IAM role association for the EC2 instance.
EC2_IAM_ROLE_ASSOCIATION_ID=`aws ec2 describe-iam-instance-profile-associations --filters Name=instance-id,Values=XXXXXXXXXXXX --query 'IamInstanceProfileAssociations[*].AssociationId' --output text --profile XXXX`
# Only disassociate an IAM role if one is attached to the EC2 instance.
if [ "$EC2_IAM_ROLE_ASSOCIATION_ID" ]; then
# Disassociate any IAM role from the EC2 instance.
aws ec2 disassociate-iam-instance-profile --association-id $EC2_IAM_ROLE_ASSOCIATION_ID --profile XXXX
fi
# Attach the correct IAM Role to the EC2 instance.
EC2_IAM_ROLE_ASSOCIATION_ID=`aws ec2 associate-iam-instance-profile --instance-id XXXXXXXXXXXX --iam-instance-profile Name="$IAM_ROLE" --query 'IamInstanceProfileAssociation.AssociationId' --output text --profile XXXX`
# Disassociate any IAM Role from the EC2 instance.
aws ec2 disassociate-iam-instance-profile --association-id $EC2_IAM_ROLE_ASSOCIATION_ID --query 'IamInstanceProfileAssociation.State' --output text --profile XXXX

相关内容

最新更新

热门标签：