通过 iam:passrole 创建 iam 用户和 aws 机密
[英]creating iam user and aws secrets via iam:passrole
问题描述
I have two iam roles,
我有两个 iam 角色,
- allaccessrole (with complete aws account access) allaccessrole(具有完整的 aws 帐户访问权限)
- limitedaccessrole (with very limited access to certain services only) limitedaccessrole(仅对某些服务的访问非常有限)
How do I utilize iam:passrole so that limitedaccessrole can utilize the permissions of allaccessrole for creating new resources(ex: a new iam user/ec2 instance)?如何利用iam:passrole使limitedaccessrole可以利用的权限allaccessrole用于创建新的资源(例如:一个新的IAM用户/ EC2实例)?
I added我加了
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "*",
"Condition": {
"StringEquals": {"iam:PassedToService": "iam.amazonaws.com"}
}
}
]
}
to limitedaccessrole 's policy but when I try creating a new user, it still says到limitedaccessrole的政策,但是当我尝试创建一个新用户时,它仍然说
limitedaccessroleis not authorized to perform: iam:CreateUser on resource: arn:aws:iam::myaccnumber:user/new-user-m-trying-to-createlimitedaccessrole无权执行:iam:CreateUser 资源:arn:aws:iam::myaccnumber:user/new-user-m-trying-to-create
I also tried我也试过
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:sts::acc_num:role/limitedaccessrole",
"Condition": {
"StringEquals": {"iam:PassedToService": "iam.amazonaws.com"}
}
}
]
}
This also gives me:这也给了我:
limitedaccessrole is not authorized to perform: iam:CreateUser on resource: arn:aws:iam::myaccnumber:user/new-user-m-trying-to-create
In short is there a way to make limitedaccessrole总之有没有办法让limitedaccessrole
- create resources (a new iam user + secrets) while utilizing a combination of IAM:Passrole and结合使用 IAM:Passrole 和
- an existing
allaccessrole(which can do everything)一个现有的allaccessrole(可以做任何事情) - AND without giving "iam:CreateUser" permission to the
limitedaccessrole.并且没有向limitedaccessrole授予 "iam:CreateUser" 权限。
Appreciate any inputs.感谢任何输入。
EDIT: I think I have a confused understanding of what IAM Passrole does.编辑:我想我对 IAM Passrole 的作用有一个困惑的理解。 Looks like iam passrole is to be used when you want some service to have the same permissions as a specified role, but not when you want one role to take on the permissions of another role.当您希望某些服务具有与指定角色相同的权限时,似乎要使用 iam passrole,而不是当您希望一个角色承担另一个角色的权限时。
1 个解决方案
解决方案1
1 2020-10-05 18:32:15
You want to use the sts:AssumeRole permission to accomplish what you're trying to achieve.您想使用sts:AssumeRole权限来完成您想要实现的目标。
The workflow for this is below:其工作流程如下:
- Resource A has Role A. Role A has permission
sts:AssumeRoleto allow it to assume Role B.资源 A 具有角色 A。角色 A 具有权限sts:AssumeRole以允许其承担角色 B。 - Resource A performs
sts:AssumeRoleto assume Role B. IAM key, secret key and session ID returned.资源 A 执行sts:AssumeRole以sts:AssumeRole入角色 B。返回 IAM 密钥、秘密密钥和会话 ID。 - Resource performs interaction using SDK/CLI specifying specifically the three values returned.资源使用 SDK/CLI 执行交互,具体指定返回的三个值。
To summarise, when you assume a role you use the credentials returned to act as the role.总而言之,当您担任某个角色时,您将使用返回的凭据来充当该角色。 It is not automatic, you could support many roles.它不是自动的,您可以支持许多角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.