Amazon web services AWS云形成中的可假设角色
使用AWS,我正在构建一个定义以下内容的堆栈:Amazon web services AWS云形成中的可假设角色,amazon-web-services,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon Cloudformation,Amazon Iam,使用AWS,我正在构建一个定义以下内容的堆栈: 几个资源(为了简单起见,下面不转录) 一个名为MyPolicy的策略,允许使用这些资源(为了简单起见,不在下面转录) 一个名为MyRole的角色提交给该策略 堆栈将由管理员创建;一旦创建,目标是允许(从堆栈外部)一些用户承担MyRole,以便使用这些资源 我的问题:应该如何定义角色,以便用户能够理解角色(允许从堆栈外部指定用户) 在AWS帮助页面中,他们给出了一个where“Service”:[“ec2.amazonaws.com”],这意味着允许
MyPolicyMyRoleMyRole“Service”:[“ec2.amazonaws.com”]ec2JSON{
"AWSTemplateFormatVersion" : "2010-09-09",
"Resources" : {
"MyRole" : {
"Type": "AWS::IAM::Role",
"RoleName": "MyRole",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": { "Service": [ "??" ] },
"Action": [ "sts:AssumeRole" ]
}
]
},
"ManagedPolicyArns": [ { "Fn::GetAtt" : [ "MyPolicy", "Arn" ] } ],
}
}
}
好问题!只需使用根用户ARN作为主体。这将允许您控制哪个用户可以使用IAM担任角色。下面是一个例子(为了我自己的理智,用YAML): 只剩下将用户添加到AssumeRoleGroup管理员组 好处:我添加了一个条件,只允许使用MFA登录的用户担任该角色
另外,只需将您的
${AWS::AccountId} AdministratorRole:
Type: AWS::IAM::Role
Properties:
RoleName: administrator
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub arn:aws:iam::${AWS::AccountId}:root
Action: sts:AssumeRole
Condition:
Bool:
aws:MultiFactorAuthPresent: 'true'
Path: "/"
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AdministratorAccess
AssumeAdministratorRolePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: "AssumeRolePolicy-Administrator"
Description: "Assume the administrative role"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: "AssumeAdministratorRolePolicy"
Effect: "Allow"
Action:
- "sts:AssumeRole"
Resource: !GetAtt AdministratorRole.Arn
AssumeAdministratorRoleGroup:
Type: AWS::IAM::Group
Properties:
GroupName: "AssumeRoleGroup-Administrator"
ManagedPolicyArns:
- !Ref AssumeAdministratorRolePolicy