使用有限的IAM角色用户创建EB env
我正在尝试创建一个访问受限的IAM用户,该用户仅被允许在特定EB应用程序下管理环境。
这意味着,在名为X的EB应用程序下,用户将能够创建/删除/修改任何存在的环境。
这失败。 IAM用户可以登录,创建环境,但是在设置阶段会收到以下错误(图片来自环境仪表板日志)-
当前,用户的IAM策略看起来像这样-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"iam:ListAttachedRolePolicies",
"ec2:*",
"cloudformation:*",
"elasticbeanstalk:CheckDNSAvailability",
"iam:ListRolePolicies",
"autoscaling:*",
"iam:GetRolePolicy",
"elasticbeanstalk:ListPlatformVersions"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::elasticbeanstalk-*/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:PutBucketPolicy",
"s3:CreateBucket",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-[aws-area]-[root-user-id]",
"arn:aws:s3:::elasticbeanstalk-[aws-area]-[root-user-id]/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "elasticbeanstalk:*",
"Resource": [
"arn:aws:elasticbeanstalk:*:*:configurationtemplate/[app-name]/*",
"arn:aws:elasticbeanstalk:[aws-area]:[root-user-id]:environment/[app-name]/*",
"arn:aws:elasticbeanstalk:[aws-area]:[root-user-id]:applicationversion/[app-name]/*",
"arn:aws:elasticbeanstalk:[aws-area]:[root-user-id]:application/[app-name]",
"arn:aws:elasticbeanstalk:*::solutionstack/*"
]
}
]
}
有没有解决的办法?如何关联个人资料?似乎缺少某些权限,并且AWS无法附加实例配置文件或某些东西
1 个答案:
答案 0 :(得分:0)
这是我无法使用已发布的政策后提出的政策。我确信可以对其进行更多调整,以使其更加精确等等。
下面的特定策略将允许用户与单个EB应用程序进行交互。请注意,EB需要完全访问某些AWS服务,例如EC2,S3,Cloudformation等。
如亚马逊文档中所述-
尽管您可以限制用户与Elastic Beanstalk的交互方式 API,目前尚没有有效的方法来防止用户 有权从中创建必要的基础资源 在Amazon EC2和其他服务中创建其他资源。
政策-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateEnvironment",
"Effect": "Allow",
"Action": "elasticbeanstalk:CreateEnvironment",
"Resource": [
"arn:aws:elasticbeanstalk:[zone]:[user-id]:environment/[eb-app-name]/*",
"arn:aws:elasticbeanstalk:[zone]:[user-id]:application/[eb-app-name]/*"
]
},
{
"Sid": "GlobalUnspecificResources",
"Effect": "Allow",
"Action": [
"sns:*",
"iam:List*",
"s3:*",
"cloudwatch:*",
"ecs:*",
"ec2:*",
"cloudformation:*",
"sqs:*",
"autoscaling:*",
"elasticloadbalancing:*",
"elasticbeanstalk:DescribePlatformVersion",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeConfigurationOptions",
],
"Resource": "*"
},
{
"Sid": "IAMActions",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:Get*",
"iam:PassRole",
"iam:CreateRole",
"iam:AddRoleToInstanceProfile"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:ComposeEnvironments",
"elasticbeanstalk:AbortEnvironmentUpdate",
"elasticbeanstalk:TerminateEnvironment",
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RebuildEnvironment",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DeleteConfigurationTemplate",
"elasticbeanstalk:RestartAppServer",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateApplication",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ApplyEnvironmentManagedAction",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:DeleteEnvironmentConfiguration",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": [
"arn:aws:elasticbeanstalk:[zone]:[user-id]:application/[eb-app-name]",
"arn:aws:elasticbeanstalk:[zone]:[user-id]:application/[eb-app-name]/*",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*",
"arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*"
]
}
]
}
将区域替换为您使用的区域,将用户ID替换为主帐户的用户ID等。
使用的资源:
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-user.html
- https://gist.github.com/magnetikonline/5034bdbb049181a96ac9
相关问题
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?