[英]AWS IAM Policy applying restrictions to managed instances — invalid ARN?
I'm facing some very weird issues when it comes to policies and managed instances.当涉及到策略和托管实例时,我面临着一些非常奇怪的问题。 For example, one of my users is getting this error:
例如,我的一位用户收到此错误:
User: arn:aws:iam::708332864XX:user/XXXX is not authorized to perform: ssm:StartSession on resource: arn:aws:ssm:us-east-2:708332864XX:managed-instance/mi-055c2be5596fXXXXX
However, when looking at the policies, I don't have the ability to select a managed-instance as a resource:但是,在查看策略时,我无法将托管实例 select 作为资源:
If I try to just simply replace instance
with managed-instance
, then it says the ARN is invalid:如果我尝试简单地将
instance
替换为managed-instance
,那么它会说 ARN 无效:
How would I give a user ssm:StartSession permission on managed instances then in this case?那么在这种情况下,我将如何授予用户 ssm:StartSession 托管实例的权限? The following policy does nothing:
以下策略不执行任何操作:
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:StartSession"
],
"Resource": [
"arn:aws:ssm:us-east-2:708332864587:managed-instance/*"
]
}
Apparently this doesn't do anything:显然这没有做任何事情:
TLDR; TLDR; I would suggest to use the instance ARN instead.
我建议改用实例 ARN。 I would also verify that your role have access to all documents or at least to
SSM-SessionManagerRunShell
.我还将验证您的角色是否可以访问所有文档或至少可以访问
SSM-SessionManagerRunShell
。
The long explanation:长解释:
If you read about StartSession in https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html you can learn that for StartSession you have in the Resrouce column three different Resource types如果您在https://docs.aws.amazon.com/service-authorization/latest/reference/list_awssystemsmanager.html中了解 StartSession,您可以了解到 StartSession 在 Resrouce 列中有三种不同的资源类型
Actions![]() |
Description![]() |
Access Level![]() |
Resource![]() |
---|---|---|---|
StartSession![]() |
Grants permission to initiate a connection to a specified target for a Session Manager session![]() |
write![]() |
document instance task![]() |
Each of them has a different ARN structure:它们每个都有不同的 ARN 结构:
document - arn:${Partition}:ssm:${Region}:${Account}:document/${DocumentName}
instance - arn:${Partition}:ec2:${Region}:${Account}:instance/${InstanceId}
task - arn:${Partition}:ecs:${Region}:${Account}:task/${TaskId}
You can put any other ARNs in the rule, but they will have no effect.您可以将任何其他 ARN 放入规则中,但它们将不起作用。 But in one they or other the user need access to all the required resources.
但是在他们或其他人中,用户需要访问所有必需的资源。
For example (mentioned in the other answer as well): In your question you have例如(在另一个答案中也提到过):在你的问题中,你有
aws:arn: ec2 :.....: managed-instance with quote: "If I try to just simply replace instance with managed-instance, then it says the ARN is invalid". aws:arn: ec2 :.....: 带引号的托管实例:“如果我尝试简单地将实例替换为托管实例,那么它会说 ARN 无效”。 Yes, because it is.
是的,因为它是。 You cannot just combine the parts of ARNs randomly.
您不能只是随机组合 ARN 的各个部分。 Valid ARNs are only the documented ones: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
有效的 ARN 只是记录在案的 ARN: https://docs.aws.amazon.com/service-authorization/latest/reference/reference_policies_actions-resources-contextkeys.html
When you describe your "managed instance" you should see in it an id of an EC2 instance.当您描述您的“托管实例”时,您应该在其中看到一个 EC2 实例的 ID。 This is the only instance which does exist.
这是唯一存在的实例。 The ssm "managed instance" is a structure which stores only the ssm-related data for that particular EC2 instance.
ssm“托管实例”是一种结构,它仅存储该特定 EC2 实例的 ssm 相关数据。
` `
If you read the example policy in the AWS documentation for StartSession you see there:如果您阅读 AWS 文档中针对 StartSession 的示例策略,您会在此处看到:
https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html
So you you need to figure out how to get the ec2 instance id from the managed instance id like for example with因此,您需要弄清楚如何从托管实例 ID 中获取 ec2 实例 ID,例如使用
https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html https://docs.aws.amazon.com/cli/latest/reference/ssm/describe-instance-information.html
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:region:987654321098:instance/i-02573cafcfEXAMPLE",
"arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
},
--cut--
Keep in mind that in AWS you may not be able to limit access per resource level for all services.请记住,在 AWS 中,您可能无法限制所有服务的每个资源级别的访问。 That's especially for newer services.
这尤其适用于较新的服务。 Or you may not be able to do it easily.
或者你可能无法轻易做到。 For example you can create a lambda function which will start your ec2 instance and will create a policy for it (I don't say that you should do it that way, but it is possible).
例如,您可以创建一个 lambda function 它将启动您的 ec2 实例并为其创建一个策略(我不是说您应该这样做,但这是可能的)。
Sometimes you can use conditions or you can use PassRole/AssumeRole mechanism to allow access to the resource by a mechanism which is outside of the IAM service.有时您可以使用条件或使用 PassRole/AssumeRole 机制来允许通过 IAM 服务之外的机制访问资源。 You may need to be creative and/or sometimes compromise.
您可能需要有创造力和/或有时需要妥协。
Notice how the managed instance ARN is for the arn:aws:ssm namespace:请注意托管实例 ARN 如何用于arn:aws:ssm命名空间:
arn:aws:ssm:us-east-2:708332864XX:managed-instance/mi-055c2be5596fXXXXX
You are trying to add permission for the arn:aws:ec2 namespace, which is why it isn't working.您正在尝试为arn:aws:ec2命名空间添加权限,这就是它不起作用的原因。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.