堆栈内存溢出
  简体   繁体   English

如何创建可以为我创建ec2实例的AWS用户?

[英]How do I create an AWS user who can create an ec2 instance for me?

 原文  2015-01-13 14:31:51       amazon-web-services/ amazon-ec2/ amazon-iam

问题描述

I have outsourced the development of some services to another company, and now I need the other company to be able to create an ec2 instance on my behalf. 我已经将某些服务的开发外包给另一家公司,现在我需要另一家公司能够代表我创建ec2实例。

I have other instances which I don't want the company to view and be able to change. 我还有其他一些我不希望公司查看并能够更改的实例。

I know how to create an IAM-user but I don't know how to create the right policy to give that user access to ec2 and to create and manage instances, he/she has created, without having access to other instances. 我知道如何创建IAM用户,但我不知道如何创建正确的策略来授予该用户访问ec2的权限,并创建和管理他/她创建的实例,而无权访问其他实例。

Is it possible and if yes, how does that policy look like ? 是否可能,如果可以,该政策的样子如何?

thanks 谢谢

Thomas 托马斯

1 个解决方案

解决方案1
 0 已采纳  2015-01-14 04:12:48

This is not a simple answer. 这不是一个简单的答案。 Creating an instance requires permission to call the RunInstances command, but would also need permission to use the associated Security Group and AMI. 创建实例需要权限才能调用RunInstances命令,但也需要权限才能使用关联的安全组和AMI。 The other company would also likely want the ability to view details of the instance(s) they have launched, and the ability to Start/Stop it. 另一家公司可能还希望能够查看其启动的实例的详细信息以及启动/停止该实例的能力。

In fact, the EC2 Management Console doesn't work well if you deny permission to view existing EC2 instances. 实际上,如果您拒绝查看现有EC2实例的权限,则EC2管理控制台将无法正常运行。

Resource-specific permissions can be granted, which allow only calls that affect a particular instance (or VPC, AMI, etc). 可以授予特定于资源的权限,该权限仅允许影响特定实例(或VPC,AMI等)的调用。 So, a RunInstances command could be limited to a specific AMI, keypair, snapshot, subnet, etc. The StopInstances command could then be limited to the instance they created (but you'd need the ID, so you can only grant that once the instance is launched). 因此,可以将RunInstances命令限制为特定的AMI,密钥对,快照,子网等。然后,将StopInstances命令限制为它们创建的实例(但是您需要ID,因此只有在实例启动)。

Also, please note that launching an instance requires permissions in Identity and Access Management (IAM), which is separate to permissions to login to an instance. 另外,请注意,启动实例需要身份和访问管理(IAM)中的权限,该权限与登录实例的权限分开。

Recommendation: It might be safest if you were to launch the instance for them, then provide them with access to login to the instance to perform their work. 建议:如果要为他们启动实例,然后为他们提供登录实例以执行其工作的访问权限,那可能是最安全的。 If they require more access to your AWS Account, it could become quite involved determining to which resources they should/shouldn't have access. 如果他们需要更多访问您的AWS账户的权限,那么确定他们应该/不应该访问哪些资源可能就变得很复杂。

See: 看到:

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何使用Ansible创建AWS EC2实例并将其分配给ELB? - How do I create an AWS EC2 instance and assign it to an ELB using Ansible? 如何在EC2实例中创建用户? - How to create a user in EC2 instance? 如何通过AWS API创建应用程序并将其部署到EC2实例? - How can I create and deploy applications to an EC2 instance via the AWS API? 如何创建 AWS ec2 实例克隆以使用单独的域名重新设计网站? - How can I create an AWS ec2 instance clone for redesigning website using a separate domain name? 如何使用 aws2 cli 创建 AWS EC2 实例? - How to create an AWS EC2 instance with aws2 cli? 如何在 AWS 中编写一个 Lamdda function 以允许我连接到运行 MySQL 的 EC2 实例 - How do I write a Lamdda function in AWS that allows me to connect to an EC2 instance that is running MySQL amazon ec2 - 通过Ansible为用户创建AWS EC2实例失败 - amazon ec2 - AWS EC2 instance create fails for user via Ansible 使用AWS凭证由Ansible创建EC2实例 - Create EC2 instance by Ansible with aws credentials AWS CLI创建ec2实例UnicodeEncodeError - AWS CLI create ec2 instance UnicodeEncodeError AWS 在访问时创建一个 EC2 实例 - AWS create an EC2 instance when accessed
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM