一千萬個為什麽

搜索

什麽是允許將IAM角色附加到實例並將其分離的AWS用戶權限?



我的同事正試圖將IAM角色附加到EC2實例並且沒有權限。我試圖找出給他哪些權限。

My question is: What is the AWS user permission that allows attaching and detaching IAM Roles to instances?

enter image description here

轉載註明原文: 什麽是允許將IAM角色附加到實例並將其分離的AWS用戶權限?

一共有 2 個回答:

授予用戶權限以將角色傳遞給AWS服務

要將角色(及其權限)傳遞給AWS服務,用戶必須   有權將角色傳遞給服務。這有助於   管理員確保只有經過批準的用戶才能配置服務   具有授予權限的角色。允許用戶將角色傳遞給   一個AWS服務,您必須向用戶授予 PassRole 權限   IAM用戶,角色或組。

     

當用戶將角色ARN作為參數傳遞給使用該的任何API時   角色為服務分配權限,服務檢查是否   該用戶具有 iam:PassRole 權限。限制用戶   只傳遞批準的角色,您可以過濾 iam:PassRole   權限與IAM策略聲明的 Resources 元素相關聯。

這是你在找什麽?

上面提到的頁面的一個例子:

Example 1

Imagine that you want to grant a user the ability to pass any of an approved set of roles to the Amazon EC2 service upon launching an instance. You need three elements:

  • An IAM permissions policy attached to the role that determines what the role can do. Scope permissions to only the actions that the role needs to perform, and to only the resources that the role needs for those actions. You can use AWS managed or customer-created IAM permissions policy.

    {
        "Version": "2012-10-17",
        "Statement": {
            "Effect": "Allow",
            "Action": [ "A list of the permissions the role is allowed to use" ],
            "Resource": [ "A list of the resources the role is allowed to access" ]
        }
    } 
    
  • A trust policy for the role that allows the service to assume the role. For example, you could attach the following trust policy to the role with the UpdateAssumeRolePolicy action. This trust policy allows Amazon EC2 to use the role and the permissions attached to the role.

    {
        "Version": "2012-10-17",
        "Statement": {
            "Sid": "TrustPolicyStatementThatAllowsEC2ServiceToAssumeTheAttachedRole",
            "Effect": "Allow",
            "Principal": { "Service": "ec2.amazonaws.com" },
           "Action": "sts:AssumeRole"
        }
    }       
    
  • An IAM permissions policy attached to the IAM user that allows the user to pass only those policies that are approved. iam:PassRole usually is accompanied by iam:GetRole so that the user can get the details of the role to be passed. In this example, the user can pass only roles that exist in the specified account with names that begin with EC2-roles-for-XYZ-:

    {
        "Version": "2012-10-17",
        "Statement": [{
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:PassRole"
            ],
            "Resource": "arn:aws:iam:::role/EC2-roles-for-XYZ-*"
        }]
    }
    

Now the user can start an Amazon EC2 instance with an assigned role. Applications running on the instance can access temporary credentials for the role through the instance profile metadata. The permission policies attached to the role determine what the instance can do.

附加和分離IAM策略

To attach a managed policy (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Policies.

  3. In the list of policies, select the check box next to the name of the policy to attach. You can use the Filter menu and the search box to filter the list of policies.

  4. Choose Policy actions, and then choose Attach.

  5. Select one or more identities to attach the policy to. You can use the Filter menu and the search box to filter the list of principal entities. After selecting the identities, choose Attach policy.

...

To embed an inline policy for a user or role (console)

  1. Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.

  2. In the navigation pane, choose Users or Roles.

  3. In the list, choose the name of the user or role to embed a policy in.

  4. Choose the Permissions tab.

  5. Scroll to the bottom of the page and choose Add inline policy.

    Note

    You cannot embed an inline policy in a service-linked role in IAM. Because the linked service defines whether you can modify the permissions of the role, you might be able to add additional policies from the service console, API, or AWS CLI. To view the service-linked role documentation for a service, see AWS Services That Work with IAM and choose Yes in the Service-Linked Role column for your service.

  6. Choose from the following methods to view the steps required to create your policy:

    • Import an Existing Managed Policy – You can import a managed policy within your account and then edit the policy to customize it to your specific requirements. A managed policy can be an AWS managed policy or a customer managed policy that you created previously.

    • Create a Policy with the Visual Editor – You can construct a new policy from scratch in the visual editor. If you use the visual editor, you do not have to understand JSON syntax.

    • Create a Policy on the JSON Tab – In the JSON tab, you can use JSON syntax to create a policy. You can type a new JSON policy document or paste an example policy.

  7. After you create an inline policy, it is automatically embedded in your user or role.

To create (and assign) IAM roles and permissions that user needs to have Administrator level rights within the AWS Account. You can search admin in Attach existing policies directly window in the Add permissions to << user name >>` of the IAM Module accessible via the Console.

從那裏查看默認提供的不同級別的管理員帳戶,您可以進一步查看JSON提供的示例,以更好地了解您可以開始分配的特定訪問權限,以將用戶鎖定為僅限特定功能。

編輯2018-01-26 從AWS Console頁面: - 點擊服務,輸入IAM - 從IAM控制臺單擊用戶 - 然後通過權限選項卡選擇用戶,單擊添加權限 - 找到“AdministratorAccess”