我们希望我们的开发人员能够创建可以部署其服务的代码管道。这意味着他们需要能够为代码管道步骤创建IAM角色。
这意味着我们需要为我们的开发人员提供IAM功能。是否有一种方法可以限制他们可以创建的IAM角色仅限于创建某些服务?比方说ECS、EC2、RDS相关的操作。或者可能专门将某些服务列入黑名单,如IAM相关操作。
是。为此,我们为开发人员提供了一个角色(由CodeBuild承担(,该角色可以根据权限边界创建其他角色。我们鼓励他们将CodePipeline分解为多个阶段,并为每个阶段分别扮演不同的角色。他们使用这个CodeBuild角色来旋转他们的管道。角色在可以传递给哪些服务以及可以执行哪些操作方面受到限制。
关于如何做到这一点的准云信息如下:
DeveloperPipelineCreateRole:
Type: AWS::IAM::Role
Properties:
RoleName: "Developer-pipeline-create-role"
ManagedPolicyArns:
- !Ref DeveloperPipelineCreatePolicy
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
DeveloperPipelineCreatePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: "Developer-pipeline-create-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowCreateRoles
Effect: Allow
Action:
- iam:CreateRole
- iam:DetachRolePolicy
- iam:AttachRolePolicy
- iam:PutRolePermissionsBoundary
Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
Condition:
StringEquals:
iam:PermissionsBoundary:
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/pipeline-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/source-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/build-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/deploy-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/execution-iam-boundary'
CodePipelineBoundary:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub "pipeline-iam-boundary"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- iam:PassRole
Resource: "*"
Effect: Allow
Condition:
StringEqualsIfExists:
iam:PassedToService:
- cloudformation.amazonaws.com
- elasticbeanstalk.amazonaws.com
- ec2.amazonaws.com
- ecs-tasks.amazonaws.com
- Sid: AddStuffYourPipelineRoleMightDo
Effect: Allow
Action: (something)
Resource: (something)
SourceBoundary: (similar to above)
BuildBoundary: (similar to above)
...