[英]creating iam user and aws secrets via iam:passrole
I have two iam roles,我有两个 iam 角色,
How do I utilize iam:passrole
so that limitedaccessrole
can utilize the permissions of allaccessrole
for creating new resources(ex: a new iam user/ec2 instance)?如何利用
iam:passrole
使limitedaccessrole
可以利用的权限allaccessrole
用于创建新的资源(例如:一个新的IAM用户/ EC2实例)?
I added我加了
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {"iam:PassedToService": "iam.amazonaws.com"}
}
}
]
}
to limitedaccessrole
's policy but when I try creating a new user, it still says到
limitedaccessrole
的政策,但是当我尝试创建一个新用户时,它仍然说
limitedaccessrole
is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::myaccnumber:user/new-user-m-trying-to-createlimitedaccessrole
无权执行:iam:CreateUser 资源:arn:aws:iam::myaccnumber:user/new-user-m-trying-to-create
I also tried我也试过
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:sts::acc_num:role/limitedaccessrole",
"Condition": {
"StringEquals": {"iam:PassedToService": "iam.amazonaws.com"}
}
}
]
}
This also gives me:这也给了我:
limitedaccessrole is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::myaccnumber:user/new-user-m-trying-to-create
limitedaccessrole 无权执行:iam:CreateUser 资源:arn:aws:iam::myaccnumber:user/new-user-m-trying-to-create
In short is there a way to make limitedaccessrole
总之有没有办法让
limitedaccessrole
allaccessrole
(which can do everything)allaccessrole
(可以做任何事情)limitedaccessrole
.limitedaccessrole
授予 "iam:CreateUser" 权限。 Appreciate any inputs.感谢任何输入。
EDIT: I think I have a confused understanding of what IAM Passrole does.编辑:我想我对 IAM Passrole 的作用有一个困惑的理解。 Looks like iam passrole is to be used when you want some service to have the same permissions as a specified role, but not when you want one role to take on the permissions of another role.
当您希望某些服务具有与指定角色相同的权限时,似乎要使用 iam passrole,而不是当您希望一个角色承担另一个角色的权限时。
You want to use the sts:AssumeRole
permission to accomplish what you're trying to achieve.您想使用
sts:AssumeRole
权限来完成您想要实现的目标。
The workflow for this is below:其工作流程如下:
sts:AssumeRole
to allow it to assume Role B.sts:AssumeRole
以允许其承担角色 B。sts:AssumeRole
to assume Role B. IAM key, secret key and session ID returned.sts:AssumeRole
以sts:AssumeRole
入角色 B。返回 IAM 密钥、秘密密钥和会话 ID。 To summarise, when you assume a role you use the credentials returned to act as the role.总而言之,当您担任某个角色时,您将使用返回的凭据来充当该角色。 It is not automatic, you could support many roles.
它不是自动的,您可以支持许多角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.