Amazon web services 是否有办法限制IAM角色可以在IAM策略上添加哪些操作?
我们希望开发人员能够创建可以部署其服务的代码管道。这意味着他们需要能够为代码管道步骤创建IAM角色Amazon web services 是否有办法限制IAM角色可以在IAM策略上添加哪些操作?,amazon-web-services,amazon-cloudformation,amazon-iam,aws-codepipeline,Amazon Web Services,Amazon Cloudformation,Amazon Iam,Aws Codepipeline,我们希望开发人员能够创建可以部署其服务的代码管道。这意味着他们需要能够为代码管道步骤创建IAM角色 这意味着我们需要为开发人员提供IAM功能。是否有一种方法可以限制这一点,即他们可以创建的IAM角色仅限于创建某些服务?比如ECS、EC2、RDS相关动作。或者可能特别将某些服务(如IAM相关操作)列入黑名单。是。为此,我们为开发人员提供了一个角色(可通过CodeBuild实现),该角色能够根据权限边界创建其他角色。我们鼓励他们将代码管道分解为多个阶段,每个阶段都有各自的角色。他们使用这个代码构建角
这意味着我们需要为开发人员提供IAM功能。是否有一种方法可以限制这一点,即他们可以创建的IAM角色仅限于创建某些服务?比如ECS、EC2、RDS相关动作。或者可能特别将某些服务(如IAM相关操作)列入黑名单。是。为此,我们为开发人员提供了一个角色(可通过CodeBuild实现),该角色能够根据权限边界创建其他角色。我们鼓励他们将代码管道分解为多个阶段,每个阶段都有各自的角色。他们使用这个代码构建角色来加速他们的管道。角色在可以传递给哪些服务以及可以执行哪些操作方面受到限制 有关如何做到这一点的信息如下:
DeveloperPipelineCreateRole:
Type: AWS::IAM::Role
Properties:
RoleName: "Developer-pipeline-create-role"
ManagedPolicyArns:
- !Ref DeveloperPipelineCreatePolicy
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
DeveloperPipelineCreatePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: "Developer-pipeline-create-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowCreateRoles
Effect: Allow
Action:
- iam:CreateRole
- iam:DetachRolePolicy
- iam:AttachRolePolicy
- iam:PutRolePermissionsBoundary
Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
Condition:
StringEquals:
iam:PermissionsBoundary:
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/pipeline-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/source-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/build-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/deploy-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/execution-iam-boundary'
CodePipelineBoundary:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub "pipeline-iam-boundary"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- iam:PassRole
Resource: "*"
Effect: Allow
Condition:
StringEqualsIfExists:
iam:PassedToService:
- cloudformation.amazonaws.com
- elasticbeanstalk.amazonaws.com
- ec2.amazonaws.com
- ecs-tasks.amazonaws.com
- Sid: AddStuffYourPipelineRoleMightDo
Effect: Allow
Action: (something)
Resource: (something)
SourceBoundary: (similar to above)
BuildBoundary: (similar to above)
...
查看示例。