具有多重身份验证的 AWS CodeCommit。 继续致命:无法访问..请求的 URL 返回错误:403
[英]AWS CodeCommit With Multi-factor Authentication. Keep getting fatal: unable to access .. The requested URL returned error: 403
问题描述
What's the Problem?
有什么问题?
My IAM User has two policies: AdministratorAccess and ForceMultiFactorAuthentication .我的 IAM 用户有两个策略: AdministratorAccess和ForceMultiFactorAuthentication 。 When ForceMultiFactorAuthentication policy is attached, from the Windows command-line, I get 403 errors when trying to do anything to the repository (ex: git clone.. ).附加ForceMultiFactorAuthentication策略后,从 Windows 命令行,尝试对存储库执行任何操作时出现 403 错误(例如: git clone.. )。 When I remove the policy, I can work with the repo (ex: git clone works).当我删除策略时,我可以使用存储库(例如: git clone工作)。
My Question我的问题
Is there something about my ForceMultiFactorAuthentication policy that is preventing codecommit from working?我的ForceMultiFactorAuthentication策略是否存在阻止 codecommit 工作的内容? How do I properly setup CodeCommit with Multi-factor authentication?如何使用多重身份验证正确设置 CodeCommit?
General Recreation Steps一般娱乐步骤
- Create an IAM user group named "Admins" with AdministratorAccess and ForceMultiFactorAuthentication permissions使用 AdministratorAccess 和 ForceMultiFactorAuthentication 权限创建名为“Admins”的 IAM 用户组
- Create a non-root IAM user创建非根 IAM 用户
- Add non-root IAM user to "Admins" group将非根 IAM 用户添加到“Admins”组
- Logged in as non-root IAM user, on Security Credentials tab, setup MFA auth (scan QR code, etc.), AND create HTTPS Git credentials for AWS CodeCommit以非根 IAM 用户身份登录,在 Security Credentials 选项卡上,设置 MFA 身份验证(扫描 QR 码等),并为 AWS CodeCommit 创建 HTTPS Git 凭证
- Create a repo in CodeCommit在 CodeCommit 中创建一个存储库
- From command-line, attempt
git clone https://git-codecommit...locally从命令行尝试git clone https://git-codecommit...本地 - Command-line returns
fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403命令行返回fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403 - My non-root IAM user removes ForceMultiFactorAuthentication policy from "Admins" group我的非根 IAM 用户从“Admins”组中删除ForceMultiFactorAuthentication策略
git clone..and it clones the repo.git clone..它克隆了 repo。 It works.有用。
Doesn't make sense because...没有意义,因为...
My IAM user has AdministratorAccess .我的 IAM 用户拥有AdministratorAccess 。 Plus, policy summary shows CodeCommit has full access to all resources.此外,政策摘要显示 CodeCommit 拥有对所有资源的完全访问权限。
My ForceMultiFactorAuthentication policy is below (and is very similar to AWS-provided one ):我的ForceMultiFactorAuthentication策略如下(与AWS 提供的策略非常相似):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
1 个解决方案
解决方案1
3 已采纳 2021-05-30 15:26:56
The following section in your ForceMultiFactorAuthentication policy deny all requests (except the actions mentioned in the NotAction section) that are not authenticated using MFA ForceMultiFactorAuthentication策略中的以下部分拒绝未使用 MFA 进行身份验证的all请求( NotAction部分中提到的操作除外)
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
With HTTPS GIT credentials , you are authenticating to the CodeCommit repository using the username & password.使用HTTPS GIT credentials ,您将使用用户名和密码对 CodeCommit 存储库进行身份验证。 There is no usage of session token (basically MFA code).没有使用 session 令牌(基本上是 MFA 代码)。 So it is not possible to validate MFA for authentication.因此,无法验证 MFA 以进行身份验证。 As a result your request is denied.因此,您的请求被拒绝。 Similar is the case with SSH key pair authentication for CodeCommit. CodeCommit 的 SSH 密钥对身份验证的情况类似。
To fix this you can add required codecommit actions in the NotAction list of the policy.要解决此问题,您可以在策略的codecommit列表中添加所需的NotAction提交操作。 You need to include kms actions as well.您还需要包括kms操作。 Because data in CodeCommit repositories is encrypted in transit and at rest.因为 CodeCommit 存储库中的数据在传输过程中和在 rest 中进行了加密。 So permission required for encrypt and decrypt actions while you are performing clone, pull or push activities from/to repos.因此,当您从/向存储库执行克隆、拉取或推送活动时,加密和解密操作需要权限。
The following policy fix your CodeCommit 403 error.以下策略可修复您的 CodeCommit 403 错误。
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers",
"codecommit:GitPull",
"codecommit:GitPush",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
Since you have already attached Administrator access policy to your user, you don't require the entire content of ForceMultiFactorAuthentication policy.由于您已将管理员访问策略附加到您的用户,因此您不需要 ForceMultiFactorAuthentication 策略的全部内容。 The above policy is sufficient.上述政策就足够了。 If you want to enable the MFA restriction for all IAM users(non-admin users), use entire content of your policy attach it to users.如果要为所有 IAM 用户(非管理员用户)启用 MFA 限制,请使用策略的全部内容将其附加到用户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.