在 AWS 云形成中扮演的角色
[英]Assumable role in an AWS cloud formation
问题描述
Using AWS, I'm building a cloud formation stack defining the following:
使用 AWS,我正在构建定义以下内容的云形成堆栈:
- Several resources (for the sake of simplicity, not transcribed below)几个资源(为了简单起见,下面没有转录)
- A Policy called
MyPolicyallowing to use those resources (for the sake of simplicity, not transcribed below)一个名为MyPolicy的策略允许使用这些资源(为了简单起见,下面没有转录) - A Role called
MyRolesubmitted to that policy提交给该策略的名为MyRole的角色
The stack will be created by an admin;堆栈将由管理员创建; and once created, the goal is to allow (from outside the stack) some users to assume MyRole in order to use the several resources.一旦创建,目标是允许(从堆栈外部)一些用户承担MyRole以使用多个资源。
My question: How should the role be defined in order be assumable by users (specific users would be allowed from outside the stack)?我的问题:应该如何定义角色以便用户可以承担(特定用户将被允许来自堆栈外部)?
In AWS help page, they give an example where "Service": [ "ec2.amazonaws.com" ] , meaning that an ec2 instance is allowed to assume that rôle... But I don't understand how it translates to users, and no example is given regarding that scenario.在 AWS 帮助页面中,他们给出了一个示例,其中"Service": [ "ec2.amazonaws.com" ] ,这意味着允许ec2实例承担该角色......但我不明白它如何转化为用户,并且没有给出关于该场景的示例。
Below is my stack definition using JSON format:下面是我使用JSON格式的堆栈定义:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyRole" : {
"Type": "AWS::IAM::Role",
"RoleName": "MyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "??" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ],
}
}
}
2 个解决方案
解决方案1
3 已采纳 2018-06-08 15:55:02
Good question! 好问题! Simply use your root user ARN as the principal. 只需使用root用户ARN作为主体。 This will allow you to control which user can assume the role using IAM. 这将允许您控制哪个用户可以使用IAM担任该角色。 Here's an example (in YAML for my own sanity): 这是一个例子(在我自己的理智中为YAML):
AdministratorRole:
Type: AWS::IAM::Role
Properties:
RoleName: administrator
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: sts:AssumeRole
Condition:
Bool:
aws:MultiFactorAuthPresent: 'true'
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
AssumeAdministratorRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: "AssumeRolePolicy-Administrator"
Description: "Assume the administrative role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AssumeAdministratorRolePolicy"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !GetAtt AdministratorRole.Arn
AssumeAdministratorRoleGroup:
Type: AWS::IAM::Group
Properties:
GroupName: "AssumeRoleGroup-Administrator"
ManagedPolicyArns:
- !Ref AssumeAdministratorRolePolicy
Only thing left is to add user to the AssumeRoleGroup-Administrator group. 剩下的就是将用户添加到AssumeRoleGroup-Administrator组。
Bonus: I've added a condition to only allow users that have logged using MFA to assume the role. 额外奖励:我添加了一个条件,仅允许使用MFA记录的用户担任该角色。
Also, just swap your ${AWS::AccountId} for another account ID you own and you can cross-account assume roles easily. 此外,只需将您的${AWS::AccountId}换成您拥有的其他帐户ID,您就可以轻松地跨帐户承担角色。
解决方案2
0 2022-04-12 20:21:03
Let says you want Account B can assume the Role to Access Account A to have custom list S3 access and AWS managed Rout53 Full access:假设您希望账户B可以承担访问账户A的角色以具有自定义列表 S3 访问权限和 AWS 管理的 Rout53 完全访问权限:
Then use Account A for the CloudFormation below:然后将帐户A用于以下 CloudFormation:
Parameters:
AccountBId:
Type: String
environment:
Type: String
Default: development
AllowedValues:
- development
- production
Resources:
# Account A:
ListS3Access:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "s3:ListAllMyBuckets"
- "s3:ListBucket"
- "s3:ListBucketVersions"
- "s3:GetObject"
Resource: '*'
TestRole:
Type: AWS::IAM::Role
Description: Test Role
DependsOn:
- ListS3Access
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountBId}:root'
Action: sts:AssumeRole
ManagedPolicyArns:
- !Ref ListS3Access
- arn:aws:iam::aws:policy/AmazonRoute53FullAccess
Tags:
- Key: environment
Value: !Ref environment
After you run the Account A cloudformation, you should get the TestRole arn, save it for Account B later usage运行账户A cloudformation 后,您应该获得TestRole arn,将其保存以供账户B稍后使用
On the Account B for the CloudFormation Below:在以下 CloudFormation 的帐户B上:
Parameters:
AccountAId:
Type: String
roleName:
Type: String
Default: xxxxxxxxx
Resources:
AssumeTestRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: "Assume My Test role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AssumeTestRolePolicy"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !Sub 'arn:aws:iam::${AccountAId}:role/${roleName}'
AssumeTestRoleGroup:
Type: AWS::IAM::Group
DependsOn:
- AssumeTestRolePolicy
Properties:
GroupName: "AssumeRoleGroup"
ManagedPolicyArns:
- !Ref AssumeTestRolePolicy
when you run the Account B cloudFormation, give the TestRole Arn you got from Account A , and provide it to roleName当您运行账户B cloudFormation 时,将您从账户A获得的TestRole Arn 提供给roleName
After both cloudFormation has been deploy, login to Account B , assign the user to the group, and you should be able use the user to switch the Role.两个cloudFormation都部署好后,登录Account B ,将用户分配到组,你应该可以使用用户切换角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.