使用 AWS,我正在构建一个定义以下内容的云形成堆栈:
- 几个资源(为简单起见,下面不转录(
- 一个名为
MyPolicy的策略,允许使用这些资源(为简单起见,下面未转录( - 名为
MyRole提交到该策略的角色
堆栈将由管理员创建;一旦创建,目标是允许(从堆栈外部(一些用户承担MyRole以便使用多个资源。
我的问题:应该如何定义角色,以便用户可以承担(允许特定用户来自堆栈外部(?
在AWS帮助页面中,他们给出了一个示例,其中"Service": [ "ec2.amazonaws.com" ],这意味着允许ec2实例假定rôle...但我不明白它是如何转化为用户的,也没有给出关于这种情况的例子。
以下是我使用JSON格式的堆栈定义:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyRole" : {
"Type": "AWS::IAM::Role",
"RoleName": "MyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "??" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ],
}
}
}
好问题!只需使用您的根用户 ARN 作为委托人即可。这将允许您控制哪个用户可以使用 IAM 代入角色。这是一个例子(为了我自己的理智,在 YAML 中(:
AdministratorRole:
Type: AWS::IAM::Role
Properties:
RoleName: administrator
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: sts:AssumeRole
Condition:
Bool:
aws:MultiFactorAuthPresent: 'true'
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
AssumeAdministratorRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: "AssumeRolePolicy-Administrator"
Description: "Assume the administrative role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AssumeAdministratorRolePolicy"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !GetAtt AdministratorRole.Arn
AssumeAdministratorRoleGroup:
Type: AWS::IAM::Group
Properties:
GroupName: "AssumeRoleGroup-Administrator"
ManagedPolicyArns:
- !Ref AssumeAdministratorRolePolicy
剩下的唯一事情就是将用户添加到假设角色组管理员组。
奖励:我添加了一个条件,仅允许使用 MFA 登录的用户代入该角色。
此外,只需将您的${AWS::AccountId}换成您拥有的另一个账户 ID,您就可以轻松地跨账户代入角色。
假设您希望账户B可以代入访问账户的角色,A具有自定义列表 S3 访问权限和 AWS 托管的 Rout53 完全访问权限:
然后使用帐户A进行以下云形成:
Parameters:
AccountBId:
Type: String
environment:
Type: String
Default: development
AllowedValues:
- development
- production
Resources:
# Account A:
ListS3Access:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "s3:ListAllMyBuckets"
- "s3:ListBucket"
- "s3:ListBucketVersions"
- "s3:GetObject"
Resource: '*'
TestRole:
Type: AWS::IAM::Role
Description: Test Role
DependsOn:
- ListS3Access
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountBId}:root'
Action: sts:AssumeRole
ManagedPolicyArns:
- !Ref ListS3Access
- arn:aws:iam::aws:policy/AmazonRoute53FullAccess
Tags:
- Key: environment
Value: !Ref environment
运行账户A云形成后,您应该获取TestRolearn,将其保存以供账户B以后使用
在以下云形成的帐户B:
Parameters:
AccountAId:
Type: String
roleName:
Type: String
Default: xxxxxxxxx
Resources:
AssumeTestRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: "Assume My Test role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AssumeTestRolePolicy"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !Sub 'arn:aws:iam::${AccountAId}:role/${roleName}'
AssumeTestRoleGroup:
Type: AWS::IAM::Group
DependsOn:
- AssumeTestRolePolicy
Properties:
GroupName: "AssumeRoleGroup"
ManagedPolicyArns:
- !Ref AssumeTestRolePolicy
当您运行账户BcloudFormation 时,提供您从账户A获得的TestRoleArn,并将其提供给roleName
部署两个 cloudFormation 后,登录到帐户B,将用户分配到组,您应该能够使用该用户切换角色。