创建用户后,有没有一种CloudFormation方式可以上传SSH_PublicKey?

时间:2019-04-06 17:54:23

标签: amazon-cloudformation amazon-iam

我正在尝试创建一个仅使用CloudFormation具有CodeCommit和S3访问权限的IAM用户,而且,我想添加SSH_PublicKey,这是到目前为止的内容:

Resources:
  ItS3User:
    DependsOn: ArtifactsBucket
    Type: AWS::IAM::User
    Properties:
      Policies:
      - PolicyName: ItS3Access
        PolicyDocument:
          Version: '2012-10-17'
          Statement:
          - Sid: AllowUserToSeeBucketListInTheConsole
            Action:
            - s3:ListAllMyBuckets
            - s3:GetBucketLocation
            Effect: Allow
            Resource:
            - arn:aws:s3:::*
          - Sid: AllowRootAndUploadsBucket
            Action:
            - s3:ListBucket
            Effect: Allow
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:s3:::'
                - Ref: ArtifactsBucket
            Condition:
              StringEquals:
                s3:prefix:
                - ''
                - it/
                s3:delimiter:
                - '/'
          - Sid: AllowListingOfUploadsFolder
            Action:
            - s3:ListBucket
            Effect: Allow
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:s3:::'
                - Ref: ArtifactsBucket
            Condition:
              StringLike:
                s3:prefix:
                - it/*
          - Sid: AllowAllS3ActionsInUploadsFolder
            Effect: Allow
            Action:
            - s3:PutObject
            - s3:GetObject
            - s3:GetObjectVersion
            Resource:
            - Fn::Join:
              - ''
              - - 'arn:aws:s3:::'
                - Ref: ArtifactsBucket
                - '/it'
                - '/*'

  ItUserAccessKey:
    DependsOn: ItS3User
    Type: AWS::IAM::AccessKey
    Properties:
      UserName:
        Ref: ItS3User


Outputs:
  ItUserAccessKeyID:
    Description: The Access Key for S3 bucket access
    Value:
      Ref: ItUserAccessKey
  ItUserAccessKeySecret:
    Description: The Access Key Secret for S3 bucket access
    Value:
      Fn::GetAtt:
        - ItUserAccessKey
        - SecretAccessKey

根据https://docs.aws.amazon.com/IAM/latest/APIReference/API_UploadSSHPublicKey.html

1 个答案:

答案 0 :(得分:0)

您可以创建一个自定义资源,该资源将调用UploadSSHPublicKey。类似于以下内容的东西应该起作用。

不要忘记将SSHPublicKeyBody的值更改为所需的键。

Resources:
  UploadSshKeyRole:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Principal:
              Service: lambda.amazonaws.com
      ManagedPolicyArns:
        - arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole
      Policies:
        - PolicyName: UploadSSHKey
          PolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Action: iam:UploadSSHPublicKey
                Effect: Allow
                Resource: !Sub ${ItS3User.Arn}
  UploadKeyFunction:
    Type: AWS::Lambda::Function
    Properties:
      Runtime: python3.6
      Handler: index.handler
      Role: !Sub ${UploadSshKeyRole.Arn}
      Timeout: 60
      Code:
        ZipFile: |
          import boto3
          import cfnresponse
          import traceback

          def handler(event, context):
            try:
              response = boto3.client('iam').upload_ssh_public_key(
                  UserName=event['ResourceProperties']['Username'],
                  SSHPublicKeyBody=event['ResourceProperties']['SSHPublicKeyBody'],
              )

              cfnresponse.send(event, context, cfnresponse.SUCCESS, {}, "ok")
            except:
              traceback.print_last()
              cfnresponse.send(event, context, cfnresponse.FAIL, {}, "ok")
  UploadSshKey:
    Type: Custom::UploadSshKey
    Properties:
      ServiceToken: !Sub ${UploadKeyFunction.Arn}
      UserName: !Ref ItS3User
      SSHPublicKeyBody: "XXX INSERT PUBLIC KEY HERE XXX"
相关问题
最新问题