[英]AWS CodeCommit With Multi-factor Authentication. Keep getting fatal: unable to access .. The requested URL returned error: 403
My IAM User has two policies: AdministratorAccess and ForceMultiFactorAuthentication .我的 IAM 用户有两个策略: AdministratorAccess和ForceMultiFactorAuthentication 。 When ForceMultiFactorAuthentication policy is attached, from the Windows command-line, I get 403 errors when trying to do anything to the repository (ex:
git clone..
).附加ForceMultiFactorAuthentication策略后,从 Windows 命令行,尝试对存储库执行任何操作时出现 403 错误(例如:
git clone..
)。 When I remove the policy, I can work with the repo (ex: git clone
works).当我删除策略时,我可以使用存储库(例如:
git clone
工作)。
Is there something about my ForceMultiFactorAuthentication policy that is preventing codecommit from working?我的ForceMultiFactorAuthentication策略是否存在阻止 codecommit 工作的内容? How do I properly setup CodeCommit with Multi-factor authentication?
如何使用多重身份验证正确设置 CodeCommit?
git clone https://git-codecommit...
locallygit clone https://git-codecommit...
本地fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403
fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403
git clone..
and it clones the repo. git clone..
它克隆了 repo。 It works. My IAM user has AdministratorAccess .我的 IAM 用户拥有AdministratorAccess 。 Plus, policy summary shows CodeCommit has full access to all resources.
此外,政策摘要显示 CodeCommit 拥有对所有资源的完全访问权限。
My ForceMultiFactorAuthentication policy is below (and is very similar to AWS-provided one ):我的ForceMultiFactorAuthentication策略如下(与AWS 提供的策略非常相似):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
The following section in your ForceMultiFactorAuthentication
policy deny all
requests (except the actions mentioned in the NotAction
section) that are not authenticated using MFA ForceMultiFactorAuthentication
策略中的以下部分拒绝未使用 MFA 进行身份验证的all
请求( NotAction
部分中提到的操作除外)
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
With HTTPS GIT credentials
, you are authenticating to the CodeCommit repository using the username & password.使用
HTTPS GIT credentials
,您将使用用户名和密码对 CodeCommit 存储库进行身份验证。 There is no usage of session token (basically MFA code).没有使用 session 令牌(基本上是 MFA 代码)。 So it is not possible to validate MFA for authentication.
因此,无法验证 MFA 以进行身份验证。 As a result your request is denied.
因此,您的请求被拒绝。 Similar is the case with SSH key pair authentication for CodeCommit.
CodeCommit 的 SSH 密钥对身份验证的情况类似。
To fix this you can add required codecommit
actions in the NotAction
list of the policy.要解决此问题,您可以在策略的
codecommit
列表中添加所需的NotAction
提交操作。 You need to include kms
actions as well.您还需要包括
kms
操作。 Because data in CodeCommit repositories is encrypted in transit and at rest.因为 CodeCommit 存储库中的数据在传输过程中和在 rest 中进行了加密。 So permission required for encrypt and decrypt actions while you are performing clone, pull or push activities from/to repos.
因此,当您从/向存储库执行克隆、拉取或推送活动时,加密和解密操作需要权限。
The following policy fix your CodeCommit 403 error.以下策略可修复您的 CodeCommit 403 错误。
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers",
"codecommit:GitPull",
"codecommit:GitPush",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
Since you have already attached Administrator access policy to your user, you don't require the entire content of ForceMultiFactorAuthentication policy.由于您已将管理员访问策略附加到您的用户,因此您不需要 ForceMultiFactorAuthentication 策略的全部内容。 The above policy is sufficient.
上述政策就足够了。 If you want to enable the MFA restriction for all IAM users(non-admin users), use entire content of your policy attach it to users.
如果要为所有 IAM 用户(非管理员用户)启用 MFA 限制,请使用策略的全部内容将其附加到用户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.