如何以编程方式在 AWS 组织成员账户中创建角色
[英]How to programmatically create roles in AWS organisation member accounts
问题描述
I want to separate out AWS resources for a multi-tenanted SaaS into separate accounts under an AWS Organization.
我想将多租户 SaaS 的 AWS 资源分离到 AWS 组织下的单独账户中。
- I have multiple OUs, split by function, eg logs, audit, compute.我有多个 OU,由 function 拆分,例如日志、审计、计算。 I will have SCPs associated with each OU.我将拥有与每个 OU 相关联的 SCP。
- Each tenant will have an account under each OU, which means as I add new tenants, each account will inherit the respective SCP to that OU.每个租户在每个 OU 下都有一个帐户,这意味着当我添加新租户时,每个帐户都会将各自的 SCP 继承到该 OU。
To enable the developers to build out the platform and to be able to debug the running system, I want to use a hub-and-spoke type approach to access control using a federated IdP, similar to that described here: https://segment.com/blog/secure-access-to-100-aws-accounts/ .为了使开发人员能够构建平台并能够调试正在运行的系统,我想使用中心辐射型方法来使用联合 IdP 进行访问控制,类似于此处所述: https://segment .com/blog/secure-access-to-100-aws-accounts/ 。
Specifically, I will have an identity account that will be bound to Okta.具体来说,我将拥有一个绑定到 Okta 的identity帐户。 Users will authenticate into this account and then use sts:assume-role to escalate to roles in other accounts.用户将通过此帐户进行身份验证,然后使用sts:assume-role升级到其他帐户中的角色。 Note that I want a separate identity account and not have users authenticate to the master account in the organization (thus within the organization, we have master and identity accounts, plus the OUs each with their respective accounts).请注意,我想要一个单独的identity帐户,并且不让用户对组织中的master帐户进行身份验证(因此在组织内,我们有master帐户和identity帐户,以及每个具有各自帐户的 OU)。
In order to programmatically create a new tenant, I need to create the tenant's accounts and place them in the correct OU, and therefore this needs to be done in the master account.为了以编程方式创建新租户,我需要创建租户的帐户并将它们放置在正确的 OU 中,因此这需要在master帐户中完成。 I can do this by creating a role within the master account and having developers assume that role from the identity account.我可以通过在master帐户中创建一个角色并让开发人员从identity帐户中担任该角色来做到这一点。
How do I create roles in the new accounts that developers can assume from the identity account?如何在开发人员可以从identity帐户承担的新帐户中创建角色? Member accounts have a role called OrganizationAccountAccessRole automatically created (see here for details ), but that is set to only be accessible from the master account and it enables access to everything in that account.成员账户自动创建了一个名为OrganizationAccountAccessRole的角色( 有关详细信息,请参见此处),但该角色设置为只能从主账户访问,并且可以访问该账户中的所有内容。 How can I enable a developer within the identity account to programmatically create new accounts and the roles within them without granting such all-powerful permissions (they should have no more permissions to perform this task than necessary).如何使identity帐户中的开发人员能够以编程方式创建新帐户及其中的角色,而无需授予此类全能权限(他们不应拥有执行此任务的权限)。 I don't think I can assume a role in the master account from the identity account and then further assume a role in a third account?我认为我不能从identity帐户中担任master帐户中的角色,然后在第三个帐户中进一步担任角色吗?
EDIT: I am really only interested in answers that address the steps/configuration needed to achieve the solution I describe.编辑:我真的只对解决实现我描述的解决方案所需的步骤/配置的答案感兴趣。
2 个解决方案
解决方案1
1 2019-10-04 01:35:35
Cloudformation StackSets addresses this problem. Cloudformation StackSets解决了这个问题。
Basically, the steps are:基本上,步骤是:
Set up roles in the child accounts that have permissions to deploy resource with a trust relationship to the role of the parent account (which you're deploying from)
在子账户中设置角色,这些角色有权部署与父账户(您从中进行部署)的角色具有信任关系的资源Create a StackSet in parent account and deploy a Cloudformation template into it to selected accounts or Organizational Units (OU) or whole organization
在父账户中创建 StackSet 并将 Cloudformation 模板部署到其中选择的账户或组织单位 (OU) 或整个组织
StackSets supports AWS Organizations so you can select OU's instead of selecting individual accounts. StackSets 支持 AWS Organizations,因此您可以使用 select OU,而不是选择单个账户。
解决方案2
1 2019-10-04 02:32:04
I would put forward that an elegant solution is to use the AWS Service Catalog product which allows you to create and manage catalogs of services that are approved for use in your AWS environment.我提出一个优雅的解决方案是使用AWS Service Catalog产品,它允许您创建和管理获准在您的 AWS 环境中使用的服务目录。 As a matter of fact, the setup described in this AWS blog post can be customized to achieve what you want.事实上,可以自定义此 AWS 博客文章中描述的设置以实现您想要的。 It provides an example for creating an Account Builder product that when launched by your end users, uses an AWS Lambda script to:它提供了一个创建 Account Builder 产品的示例,当您的最终用户启动该产品时,该产品使用 AWS Lambda 脚本来:
- Provision an AWS member account预置 AWS 成员账户
- Assume the Organizational Role for the account担任帐户的组织角色
- Use a CloudFormation template to customize the account (in your case, to create the additional IAM roles)使用 CloudFormation 模板自定义账户(在您的情况下,创建额外的 IAM 角色)
You can customize it further to even delete the Organizational Role account when it's done.您可以进一步自定义它,甚至在完成后删除组织角色帐户。
Source code for the Lambda function along with the CloudFormation templates is provided that you can tweak to produce the exact behavior you are looking for.提供了 Lambda function 的源代码以及 CloudFormation 模板,您可以对其进行调整以产生您正在寻找的确切行为。
Hope this helps.希望这可以帮助。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.