Question

我正在按照发现here的教程来使用带有CodeDeploy的内部部署服务器。我对前几步感到困惑。当我为内部部署服务器创建角色时，我应该选择什么作为将使用此角色的服务（在控制台中）？我确实理解该角色应该具有哪些策略，允许对所有资源执行s3:Get和s3:List操作。为了提供其他信息，我想使用aws-codedeploy-session-helper工具定期为我刷新会话凭据，此工具使用的IAM用户的策略如下：

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow", 
      "Action": [
        "iam:CreateAccessKey",
        "iam:CreateUser",
        "iam:DeleteAccessKey",
        "iam:DeleteUser",
        "iam:DeleteUserPolicy",
        "iam:ListAccessKeys",
        "iam:ListUserPolicies",
        "iam:PutUserPolicy",
        "iam:GetUser",
        "iam:AddRoleToInstanceProfile",
        "iam:CreateInstanceProfile",
        "iam:CreateRole",
        "iam:DeleteInstanceProfile",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:GetInstanceProfile",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:ListInstanceProfilesForRole",
        "iam:ListRolePolicies",
        "iam:ListRoles",
        "iam:PassRole",
        "iam:PutRolePolicy",
        "iam:RemoveRoleFromInstanceProfile",
        "autoscaling:*",
        "codedeploy:*",
        "ec2:*",
        "lambda:*",
        "elasticloadbalancing:*", 
        "s3:*"
      ],
      "Resource": "*"
    }
  ]
}

Answer 1

您需要允许内部部署服务器调用STS假定角色API，因此服务应该＆＃34; STS＆＃34;

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::<ACCOUNT-ID>:role/<ROLENAME>"
  }
}

然后在IAM角色中添加一个＆＃34; Trust＆＃34;服务器的策略。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<ACCOUNT-ID>:user/<USER-NAME>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

为内部部署服务器创建角色以承担AWS CodeDeploy

1 个答案: