>我正在尝试创建一个仅使用 CloudFormation 具有 CodeCommit 和 S3 访问权限的 IAM 用户,但我也想添加 SSH_PublicKey ,这是我到目前为止所拥有的:
Resources:
ItS3User:
DependsOn: ArtifactsBucket
Type: AWS::IAM::User
Properties:
Policies:
- PolicyName: ItS3Access
PolicyDocument:
Version: '2012-10-17'
Statement:
- Sid: AllowUserToSeeBucketListInTheConsole
Action:
- s3:ListAllMyBuckets
- s3:GetBucketLocation
Effect: Allow
Resource:
- arn:aws:s3:::*
- Sid: AllowRootAndUploadsBucket
Action:
- s3:ListBucket
Effect: Allow
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: ArtifactsBucket
Condition:
StringEquals:
s3:prefix:
- ''
- it/
s3:delimiter:
- '/'
- Sid: AllowListingOfUploadsFolder
Action:
- s3:ListBucket
Effect: Allow
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: ArtifactsBucket
Condition:
StringLike:
s3:prefix:
- it/*
- Sid: AllowAllS3ActionsInUploadsFolder
Effect: Allow
Action:
- s3:PutObject
- s3:GetObject
- s3:GetObjectVersion
Resource:
- Fn::Join:
- ''
- - 'arn:aws:s3:::'
- Ref: ArtifactsBucket
- '/it'
- '/*'
ItUserAccessKey:
DependsOn: ItS3User
Type: AWS::IAM::AccessKey
Properties:
UserName:
Ref: ItS3User
Outputs:
ItUserAccessKeyID:
Description: The Access Key for S3 bucket access
Value:
Ref: ItUserAccessKey
ItUserAccessKeySecret:
Description: The Access Key Secret for S3 bucket access
Value:
Fn::GetAtt:
- ItUserAccessKey
- SecretAccessKey
根据 https://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadSSHPublicKey.html
您可以创建一个将调用 UploadSSHPublicKey 的自定义资源。类似于以下内容的东西应该有效。
不要忘记将SSHPublicKeyBody的值更改为所需的密钥。
Resources:
UploadSshKeyRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Action: sts:AssumeRole
Effect: Allow
Principal:
Service: lambda.amazonaws.com
ManagedPolicyArns:
- arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
Policies:
- PolicyName: UploadSSHKey
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action: iam:UploadSSHPublicKey
Effect: Allow
Resource: !Sub ${ItS3User.Arn}
UploadKeyFunction:
Type: AWS::Lambda::Function
Properties:
Runtime: python3.6
Handler: index.handler
Role: !Sub ${UploadSshKeyRole.Arn}
Timeout: 60
Code:
ZipFile: |
import boto3
import cfnresponse
import traceback
def handler(event, context):
try:
response = boto3.client('iam').upload_ssh_public_key(
UserName=event['ResourceProperties']['Username'],
SSHPublicKeyBody=event['ResourceProperties']['SSHPublicKeyBody'],
)
cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, "ok")
except:
traceback.print_last()
cfnresponse.send(event, context, cfnresponse.FAIL, {}, "ok")
UploadSshKey:
Type: Custom::UploadSshKey
Properties:
ServiceToken: !Sub ${UploadKeyFunction.Arn}
UserName: !Ref ItS3User
SSHPublicKeyBody: "XXX INSERT PUBLIC KEY HERE XXX"