允许AWS IAM用户创建RDS实例

时间:2018-01-25 01:13:59

标签: amazon-web-services amazon-iam rds

我想允许我的AWS IAM用户能够通过AWS UI创建RDS实例。所以添加了以下政策

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": "rds:*",
        "Resource": "*"
    }
]}

用户可以进入"指定数据库详细信息"页面,当提供所有信息和"下一步"点击,我收到以下错误:

目前正在检索帐户属性 我们目前正在检索您的帐户属性。请在几分钟后重试。

enter image description here 请指教。

1 个答案:

答案 0 :(得分:2)

根据documentation

  

要让用户使用Amazon RDS控制台,该用户必须拥有最少的权限集。这些权限允许用户为其AWS账户描述Amazon RDS资源,并提供其他相关信息,包括Amazon EC2安全性和网络信息。

所以你似乎错过了一些EC2和网络权限。

同一文档建议使用预定义的策略 AmazonRDSReadOnlyAccess AmazonRDSFullAccess 。后者定义为:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "rds:*",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcs",
                "sns:ListSubscriptions",
                "sns:ListTopics",
                "sns:Publish",
                "logs:DescribeLogStreams",
                "logs:GetLogEvents"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": "pi:*",
            "Effect": "Allow",
            "Resource": "arn:aws:pi:*:*:metrics/rds/*"
        },
        {
            "Action": "iam:CreateServiceLinkedRole",
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "rds.amazonaws.com"
                }
            }
        }
    ]
}
相关问题
最新问题