我想要一个能够创建IAM组织的IAM用户。
为了实现这一点,我需要创建一个使用SLR的策略。
我将此策略附加到我的IAM所属的组。
如果我使用常规SLR权限策略,我可以与任何用户一起创建组织。
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/*"
}
当我指定我想要拥有这些权限的确切用户资源时,我就不能再这样做了。
这是aws文档中提供的模板
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/SERVICE-NAME.amazonaws.com/SERVICE-LINKED-ROLE-NAME-PREFIX*",
"Condition": {"StringLike": {"iam:AWSServiceName": "SERVICE-NAME.amazonaws.com"}}
},
这是我的
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::000056397000:user/root_name:role/aws-service-role/organizations.amazonaws.com/*"
}
我得到的错误是:
An error occurred (AccessDeniedForDependencyException) when calling the CreateOrganization operation: The
request failed because your credentials do not have permission to create the service-linked role required
by AWS Organizations.
我错过了什么?
我找到了一个变通办法。不理想,也许有人有更好的主意。
具有2个策略的组
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "organizations.amazonaws.com"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "organizations:CreateOrganization",
"Resource": "*"
}
]
}