我在AWS上使用poweruser策略创建了用户。政策是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
现在,关注文档(http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-credentials)我创建了自定义策略,允许用户管理自己的密码和密钥:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
我还在收到错误
用户:arn:aws:iam :: 1234567890:用户/学生无权执行:iam:资源上的CreateLoginProfile:用户学生。模拟给出了明确的拒绝错误,根据这些政策并非如此。
答案 0 :(得分:0)
请参阅下面的代码,其中account-id-without-hyphens将其替换为您的帐号,并且可以使用。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}