删除了主要的基于身份的策略。 如何恢复?
[英]Deleted main identity-based policy. How it can be recovered?
问题描述
By mistake the main IAM policy of an account was deleted, and now every single service|configuration on AWS console shows "You don't have permission to XXX...." Is there any way to rebuild-recover this policy?
错误地删除了一个帐户的主要 IAM 策略,现在 AWS 控制台上的每一个服务|配置都显示“您没有 XXX 的权限......”有没有办法重建 - 恢复这个策略? Searched all through docs without clear insights.在没有清晰见解的情况下搜索所有文档。 For example on the IAM dashboard:例如在 IAM 仪表板上:
User: arn:aws:iam::XXXXXXXX:user/XXXXXXX
Service: iam
Action: GetAccountSummary
On resource(s): *
Context: no identity-based policy allows the iam:GetAccountSummary action
Ty everyone大家好
2 个解决方案
解决方案1
0 2022-12-27 18:14:56
Was policy deleted for an IAM user or Root user?是否为 IAM 用户或 Root 用户删除了策略? Getting confused with -混淆 -
By mistake the main IAM policy of an account was deleted
Deleted in sense removed the policy for user?删除在某种意义上删除了用户的策略? Or just deleted the policy?或者只是删除了政策?
If the policy for an IAM user is removed, you can request another IAM user with admin access or a root user to assign the earlier policy back如果 IAM 用户的策略被删除,您可以请求另一个具有管理员访问权限的 IAM 用户或根用户重新分配早期的策略
If policy is deleted, you may need to create it once again & assign it to user如果策略被删除,您可能需要再次创建它并将其分配给用户
解决方案2
0 2022-12-27 22:07:01
If you have any other IAM users (or roles) that have permission to create IAM policies and attach them, then log in using one of those.如果您有任何其他有权创建 IAM 策略并附加它们的 IAM 用户(或角色),则使用其中之一登录。 If not, you will need to log in using root credentials (you generally should not login as root, but this is one of those rare cases where you will need to).如果不是,您将需要使用 root 凭据登录(您通常不应以 root 用户身份登录,但这是您需要的极少数情况之一)。
Then what you need to do is for user user/XXXXXXX , you will associate a policy with that user that allows it access to everything you need in the console.然后你需要做的是为用户user/XXXXXXX ,你将与该用户关联一个策略,允许它访问你在控制台中需要的一切。
- From the example you gave, you need a console user that has access to IAM (and specifically
iam:GetAccountSummary).从您提供的示例中,您需要一个有权访问 IAM(特别是iam:GetAccountSummary)的控制台用户。 Therefore you should look in the IAM policies and see if you have one called AdministratorAccess因此,您应该查看 IAM 策略,看看是否有一个名为AdministratorAccess的策略 - If you have it (if that link worked) then skip to step 3. If not, you will need to create this policy.如果您拥有它(如果该链接有效),则跳至第 3 步。如果没有,您将需要创建此策略。 Create a new policy named
AdministratorAccessand then use this JSON as the Permissions for the policy创建一个名为AdministratorAccess的新策略,然后使用此 JSON 作为该策略的权限
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}
]
}
Now associate the policy with your IAM User.
现在将策略与您的 IAM 用户相关联。 Go to IAM Users and click on user/XXXXXXX.Go 到IAM 用户并单击user/XXXXXXX。- The click Add permissions点击添加权限
- Attach existing policies directly直接附加现有政策
- check the box next to
AdministratorAccess选中AdministratorAccess旁边的框 - Next: Review下一步:审查
- Add permissions添加权限
- The click Add permissions
Log out.
登出。 Then log back in as user/XXXXXXX然后以user/XXXXXXX身份重新登录
NOTE: In general, you do not want to use a user with AdministratorAccess for most tasks.注意:通常,您不希望使用具有AdministratorAccess的用户来执行大多数任务。 Consider creating another user with more limited access for everyday use考虑为日常使用创建另一个具有更有限访问权限的用户
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.