限制 AWS IAM 角色只修改其他角色的特定 IAM 权限?
[英]Limit AWS IAM role to modify only specific IAM permissions of other roles?
问题描述
We have a CI/CD-runner with a certain set of IAM permissions.
我们有一个具有一组特定 IAM 权限的 CI/CD 运行器。 We would like to allow that runner to modify specific permissions of a particular IAM role, respectively modify a particular policy within certain borders.我们希望允许该运行器修改特定 IAM 角色的特定权限,分别修改特定边界内的特定策略。 It should only be permitted to, eg, add or remove resources to/from a set of "athena:..." actions or modify the permissions in the "athena:..." action space.它应该只被允许,例如,向一组“athena:...”操作添加或从中删除资源或修改“athena:...”操作空间中的权限。 It must not be allowed to add or modify, say, "iam:..." permissions for that particular role.不得允许添加或修改该特定角色的“iam:...”权限。
Is it possible to limit a role in such a way that only specific modifications to another role's policy are allowed?是否可以通过只允许对另一个角色的策略进行特定修改的方式来限制角色?
1 个解决方案
解决方案1
1 已采纳 2022-05-04 16:31:13
I'll try to restate in order to check if I understood correctly.我将尝试重述以检查我是否理解正确。
You have a CICD agent (let's call it CICDUser) that can assume a role with some policies and a Runner (let's call it RunnerUser) which performs actions on the AWS platform.您有一个 CICD 代理(我们称之为 CICDUser),它可以承担一些策略的角色,还有一个 Runner(我们称之为 RunnerUser),它在 AWS 平台上执行操作。
You want to allow CICDUser to modify RunnerUser's IAM permissions within predefined boundaries (in terms of actions and resources).您希望允许 CICDUser 在预定义的边界内(在操作和资源方面)修改 RunnerUser 的 IAM 权限。
To do that, I suggest the following approach:为此,我建议采用以下方法:
Step 1 - Create Runner's policy boundaries (let's call it RunnerBoundaries) and attach it to the RunnerUser.第 1 步- 创建 Runner 的策略边界(我们称之为 RunnerBoundaries)并将其附加到 RunnerUser。 For example:例如:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "athena:*",
"Resource": [
"arn:aws:athena:eu-central-1:012345678910:datacatalog/catalog-name-1",
"arn:aws:athena:eu-central-1:012345678910:datacatalog/catalog-name-2"
]
}
]
}
In this example, you are allowing RunnerUser to have maximum privileges only on catalog-name-1 and catalog-name-2 actions (but the actual allowed actions will be set by the following policy).在此示例中,您允许 RunnerUser 仅对catalog-name-1和catalog-name-2操作具有最大权限(但实际允许的操作将由以下策略设置)。
Step 2 - Create Runner's policy (let's call it RunnerPolicy) for actual permissions and attach it to RunnerUser.第 2 步- 为实际权限创建 Runner 的策略(我们称之为 RunnerPolicy)并将其附加到 RunnerUser。 Even if you give give Administrator access to the RunnerUser here, everything will be bounded on the RunnerBoundaries.即使您在此处授予管理员对 RunnerUser 的访问权限,所有内容都将受 RunnerBoundaries 限制。
Step 3 - Allow the CICDUser to update (only) RunnerPolicy document.第 3 步- 允许 CICDUser 更新(仅)RunnerPolicy 文档。 Every update will be bounded to the RunnerBoundaries document in terms of actions and resources like in point 2. You can give CICDUser this permission with a CICDPolicy like this:就第 2 点中的操作和资源而言,每次更新都将绑定到 RunnerBoundaries 文档。您可以使用 CICDPolicy 向 CICDUser 授予此权限,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action":
"iam:CreatePolicyVersion"
],
"Resource": "arn:aws:iam::012345678910:policy/RunnerPolicy"
}
]
}
In this way, CICDUser will be able to modify only the RunnerPolicy.这样,CICDUser 将只能修改 RunnerPolicy。
You can do a lot of thing in many different ways using the combination of Policies + Boundaries + Roles.您可以使用策略 + 边界 + 角色的组合以许多不同的方式做很多事情。 Follow this documentation for more details.请按照此文档了解更多详细信息。
Disclaimer : I'm working in AWS, but this is not to be considered an official AWS answer, it's just my point of view.免责声明:我在 AWS 工作,但这不是 AWS 的官方回答,这只是我的观点。 I didn't tested this examples fully and everything I've reported must be validated properly before using it.我没有对这些示例进行全面测试,我报告的所有内容都必须在使用前进行正确验证。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.