[英]For the AWS CDK, how can I determine the appropriate IAM policy and permissions to replace a root account?
I am setting up aws CDK for a new stack on aws, and the docs say essentially "use the root account to start up, but then set up a policy for a new account":我正在为 aws 上的新堆栈设置 aws CDK,文档基本上说“使用 root 帐户启动,然后为新帐户设置策略”:
However, using their recommended assume/* policy almost immediately leads to errors when trying to cdk deploy.但是,在尝试 cdk 部署时,使用他们推荐的 assume/* 策略几乎会立即导致错误。 So what is a mechanism for determining a policy useful and applicable to setting up a full cloudformation stack deployment?
那么,确定对设置完整的 cloudformation 堆栈部署有用和适用的策略的机制是什么?
For one example use case, when setting up continuous integration to deploy multiple stacks how can we avoid giving it the keys to the kingdom?对于一个示例用例,在设置持续集成以部署多个堆栈时,我们如何避免将王国的钥匙交给它?
Since I am part of the aws community builders community, I asked there as well.因为我是 aws 社区建设者社区的一员,所以我也在那里问过。 Suffice it to say that this is a known problem, and not a trivial one to solve.
只要说这是一个已知问题,而不是一个需要解决的小问题就够了。 I will try to distill what I learned into an answer here in broad strokes:
我将尝试将我学到的知识提炼成一个粗略的答案:
Allow all... ...then deny in particular
.Allow all... ...then deny in particular
的许可政策。 In other words, set a policy on the deploying agent that allows * access to all services... ...and then deny permission to create users, change other users, etc etc. Contained within this approach is: bootstrap, then customize
https://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizingbootstrap, then customize
https ://docs.aws.amazon.com/cdk/v2/guide/bootstrapping.html#bootstrapping-customizing
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.