[英]How to restrict a user to a specific instance volume in AWS using IAM policy
I am working on Amazon web services. 我正在研究Amazon Web服务。 Designing the custom IAM policies.
设计自定义IAM策略。
I have a user which have restricted access on the instances like he can start,stop the instances. 我有一个在实例上具有受限访问权限的用户,例如他可以启动,停止实例。 Similarly i want to restrict the user to attach,delete specific volumes.
同样,我想限制用户附加,删除特定的卷。 I have created this policy:
我制定了以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": ["ec2:DescribeInstances","ec2:DescribeInstanceStatus","ec2:DescribeVolumeAttribute","ec2:DescribeVolumeStatus","ec2:DescribeVolumes"], ,
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:StopInstances",
"ec2:StartInstances",
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:us-west-2:AccountID:instance/instanceID",
"Resource": "arn:aws:ec2:us-west-2:AccountID:instance/instanceID",
"Resource": "arn:aws:ec2:us-west-2:AccountID:instance/instanceID",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/volID",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/volID",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/volID"
}
]
}
when I apply this policy it does not show me any volumes. 当我应用此策略时,它不会显示任何卷。
I get an error: 我收到一个错误:
error fetching the volume details.
Any lead is appreciated Thanks 任何线索表示赞赏,谢谢
The best way to test/debug IAM policies is by means of the fantastic IAM Policy Simulator (see Using the IAM Policy Simulator for the actual link and instructions). 测试/调试IAM策略的最佳方法是使用出色的IAM策略模拟器 (有关实际链接和说明,请参阅使用IAM策略模拟器 )。 With its help, the solution below can easily be verified to be working correctly.
在其帮助下,可以轻松地验证以下解决方案是否正常运行。
I recommend to add a dedicated test user to your account with no policies attached (ie implicit Deny All ) and then using the Mode: New Policy to assemble and simulate the policy in question, eg for the use case at hand: 我建议向您的帐户中添加一个不带任何策略的专用测试用户(即隐式拒绝全部 ),然后使用“ 模式:新策略”来组装和模拟所讨论的策略,例如针对当前的用例:
AttachVolume
and DetachVolume
AttachVolume
和DetachVolume
Once satisfied, you can apply the assembled policy to the entities in your account and recheck via Mode: Existing Policies . 满意后,您可以将组合政策应用于您帐户中的实体,然后通过模式:现有政策进行重新检查。
I wonder how you have been able to apply this IAM policy , insofar it is syntactically invalid JSON (the Action
field within the first Statement
lacks any value)? 我想知道您如何能够应用此IAM策略 ,因为它在语法上是无效的JSON(第一个
Statement
的Action
字段缺少任何值)?
The syntax error aside, that's also the source of your problem: 除了语法错误,这也是问题的根源:
As indicated by TheseActionsDontSupportResourceLevelPermissions , a few EC2 API actions do not support the comparatively new Resource-Level Permissions for EC2 and RDS Resources yet, see this note from Amazon Resource Names for Amazon EC2 : 如theseActionsDontSupportResourceLevelPermissions所示 ,一些EC2 API操作尚不支持相对较新的EC2和RDS资源的资源级权限 ,请参阅Amazon EC2的Amazon资源名称中的此说明:
Important Currently, not all API actions support individual ARNs;
重要说明:目前,并非所有的API操作都支持单个ARN。 we'll add support for additional API actions and ARNs for additional Amazon EC2 resources later.
我们稍后将添加对其他API操作的支持以及对其他Amazon EC2资源的ARN。 For information about which ARNs you can use with which Amazon EC2 API actions, as well as supported condition keys for each ARN, see Supported Resources and Conditions for Amazon EC2 API Actions .
有关可与哪些Amazon EC2 API操作一起使用的ARN以及每个ARN支持的条件键的信息,请参阅Amazon EC2 API操作的支持资源和条件 。
You will find that all ec2:Describe*
actions are indeed absent still from Supported Resources and Conditions for Amazon EC2 API Actions at the time of this writing. 您将发现,在撰写本文时, Amazon EC2 API操作的受支持资源和条件确实仍然缺少所有
ec2:Describe*
操作。 This also includes the ec2:DescribeVolume*
actions, which is why you receive the error. 这也包括
ec2:DescribeVolume*
操作,这就是收到错误的原因。
Fixing the first statement as outlined below should remedy the issue: 修复如下所述的第一条语句应可以解决此问题:
{
"Statement": [
{
"Sid": "TheseActionsDontSupportResourceLevelPermissions",
"Action": [
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "TheseActionsSupportResourceLevelPermissions",
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": "arn:aws:ec2:<region>:<account number>:volume/<volume id>"
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.