[英]Assumable role in an AWS cloud formation
使用 AWS,我正在构建定义以下内容的云形成堆栈:
MyPolicy
的策略允许使用这些资源(为了简单起见,下面没有转录)MyRole
的角色堆栈将由管理员创建; 一旦创建,目标是允许(从堆栈外部)一些用户承担MyRole
以使用多个资源。
我的问题:应该如何定义角色以便用户可以承担(特定用户将被允许来自堆栈外部)?
在 AWS 帮助页面中,他们给出了一个示例,其中"Service": [ "ec2.amazonaws.com" ]
,这意味着允许ec2
实例承担该角色......但我不明白它如何转化为用户,并且没有给出关于该场景的示例。
下面是我使用JSON
格式的堆栈定义:
{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyRole" : {
"Type": "AWS::IAM::Role",
"RoleName": "MyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "??" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ],
}
}
}
好问题! 只需使用root用户ARN作为主体。 这将允许您控制哪个用户可以使用IAM担任该角色。 这是一个例子(在我自己的理智中为YAML):
AdministratorRole:
Type: AWS::IAM::Role
Properties:
RoleName: administrator
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: sts:AssumeRole
Condition:
Bool:
aws:MultiFactorAuthPresent: 'true'
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
AssumeAdministratorRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: "AssumeRolePolicy-Administrator"
Description: "Assume the administrative role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AssumeAdministratorRolePolicy"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !GetAtt AdministratorRole.Arn
AssumeAdministratorRoleGroup:
Type: AWS::IAM::Group
Properties:
GroupName: "AssumeRoleGroup-Administrator"
ManagedPolicyArns:
- !Ref AssumeAdministratorRolePolicy
剩下的就是将用户添加到AssumeRoleGroup-Administrator组。
额外奖励:我添加了一个条件,仅允许使用MFA记录的用户担任该角色。
此外,只需将您的${AWS::AccountId}
换成您拥有的其他帐户ID,您就可以轻松地跨帐户承担角色。
假设您希望账户B
可以承担访问账户A
的角色以具有自定义列表 S3 访问权限和 AWS 管理的 Rout53 完全访问权限:
然后将帐户A
用于以下 CloudFormation:
Parameters:
AccountBId:
Type: String
environment:
Type: String
Default: development
AllowedValues:
- development
- production
Resources:
# Account A:
ListS3Access:
Type: AWS::IAM::ManagedPolicy
Properties:
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- "s3:ListAllMyBuckets"
- "s3:ListBucket"
- "s3:ListBucketVersions"
- "s3:GetObject"
Resource: '*'
TestRole:
Type: AWS::IAM::Role
Description: Test Role
DependsOn:
- ListS3Access
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::${AccountBId}:root'
Action: sts:AssumeRole
ManagedPolicyArns:
- !Ref ListS3Access
- arn:aws:iam::aws:policy/AmazonRoute53FullAccess
Tags:
- Key: environment
Value: !Ref environment
运行账户A
cloudformation 后,您应该获得TestRole
arn,将其保存以供账户B
稍后使用
在以下 CloudFormation 的帐户B
上:
Parameters:
AccountAId:
Type: String
roleName:
Type: String
Default: xxxxxxxxx
Resources:
AssumeTestRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Description: "Assume My Test role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AssumeTestRolePolicy"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !Sub 'arn:aws:iam::${AccountAId}:role/${roleName}'
AssumeTestRoleGroup:
Type: AWS::IAM::Group
DependsOn:
- AssumeTestRolePolicy
Properties:
GroupName: "AssumeRoleGroup"
ManagedPolicyArns:
- !Ref AssumeTestRolePolicy
当您运行账户B
cloudFormation 时,将您从账户A
获得的TestRole
Arn 提供给roleName
两个cloudFormation都部署好后,登录Account B
,将用户分配到组,你应该可以使用用户切换角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.