使用有限的IAM角色用户创建EB env
问题描述 投票:0回答:1
我正在尝试创建一个受限访问的IAM用户,只允许管理特定EB应用程序下的环境。
意思是,在名为X的EB应用程序下,用户将能够创建/删除/修改任何存在的环境。
这失败了。 IAM用户可以登录,创建环境,但在设置阶段我得到以下错误(图片来自环境仪表板日志) -
目前,用户的IAM策略如下所示 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"iam:ListAttachedRolePolicies",
"ec2:*",
"cloudformation:*",
"elasticbeanstalk:CheckDNSAvailability",
"iam:ListRolePolicies",
"autoscaling:*",
"iam:GetRolePolicy",
"elasticbeanstalk:ListPlatformVersions"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::elasticbeanstalk-*/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:PutBucketPolicy",
"s3:CreateBucket",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-[aws-area]-[root-user-id]",
"arn:aws:s3:::elasticbeanstalk-[aws-area]-[root-user-id]/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "elasticbeanstalk:*",
"Resource": [
"arn:aws:elasticbeanstalk:*:*:configurationtemplate/[app-name]/*",
"arn:aws:elasticbeanstalk:[aws-area]:[root-user-id]:environment/[app-name]/*",
"arn:aws:elasticbeanstalk:[aws-area]:[root-user-id]:applicationversion/[app-name]/*",
"arn:aws:elasticbeanstalk:[aws-area]:[root-user-id]:application/[app-name]",
"arn:aws:elasticbeanstalk:*::solutionstack/*"
]
}
]
}
有没有解决的办法?如何关联个人资料?似乎缺少某些权限,AWS无法附加实例配置文件或其他内容
1个回答
0
投票
投票
这是我无法使用已发布政策后提出的政策。我确信这可以进行更多调整,以使其更精确等。
以下特定策略将允许用户与单个EB应用程序进行交互。请注意,EB要求对某些AWS服务(如EC2,S3,Cloudformation等)进行完全访问。
如亚马逊的文档所述 -
虽然您可以限制用户与Elastic Beanstalk API的交互方式,但目前还没有一种有效的方法可以阻止有权创建必要的底层资源的用户在Amazon EC2和其他服务中创建其他资源。
政策 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateEnvironment",
"Effect": "Allow",
"Action": "elasticbeanstalk:CreateEnvironment",
"Resource": [
"arn:aws:elasticbeanstalk:[zone]:[user-id]:environment/[eb-app-name]/*",
"arn:aws:elasticbeanstalk:[zone]:[user-id]:application/[eb-app-name]/*"
]
},
{
"Sid": "GlobalUnspecificResources",
"Effect": "Allow",
"Action": [
"sns:*",
"iam:List*",
"s3:*",
"cloudwatch:*",
"ecs:*",
"ec2:*",
"cloudformation:*",
"sqs:*",
"autoscaling:*",
"elasticloadbalancing:*",
"elasticbeanstalk:DescribePlatformVersion",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeConfigurationOptions",
],
"Resource": "*"
},
{
"Sid": "IAMActions",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:Get*",
"iam:PassRole",
"iam:CreateRole",
"iam:AddRoleToInstanceProfile"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:ComposeEnvironments",
"elasticbeanstalk:AbortEnvironmentUpdate",
"elasticbeanstalk:TerminateEnvironment",
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RebuildEnvironment",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DeleteConfigurationTemplate",
"elasticbeanstalk:RestartAppServer",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateApplication",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ApplyEnvironmentManagedAction",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:DeleteEnvironmentConfiguration",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": [
"arn:aws:elasticbeanstalk:[zone]:[user-id]:application/[eb-app-name]",
"arn:aws:elasticbeanstalk:[zone]:[user-id]:application/[eb-app-name]/*",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*",
"arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*"
]
}
]
}
将区域替换为您使用的区域,具有主帐户用户ID的用户ID等。
使用的资源:
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-user.html
- https://gist.github.com/magnetikonline/5034bdbb049181a96ac9
最新问题
- Python SQLModel - 自动增量的可选 ID 值在从数据库检索时会导致类型错误
- 无法使用 Beautiful Soup 来废弃“<div class="tdb-block-inner td-fix-index">”
- 条带地址元素添加星号为必填项
- 如何在golang中间件中获取Response statusCode?
- 为什么 let MyNamespace = MyNamespace || {};导致 javascript 中出现未捕获的引用错误?
- 如何在多项回归中添加交互项
- 如何合并具有相似名称的行并为不同年份创建列?
- 如何在 SwiftUI 中进行拖放
- 处理 Angular 中页面的多个实例 + 一些其他内容
- gcloud 删除路由到工件注册表的容器镜像
- 使用 OAUTH 配置 Mule Microsoft Power BI 连接器
- 更改机器人问题按钮颜色样式
- EWS:尝试从 RecoverableItemsSubstrateHolds 获取 IPM.SkypeTeams.Message 时“不允许访问非 IPM 项目”
- 使用目标 SDK 强制关闭
- Pytorch 利用 CUDA Nvidia GTX 1650
- 通过socket发送加密数据并解密不起作用
- 添加播放声音动作后点击不播放声音-颤动流
- 重新打开上次关闭的选项卡(撤消选项卡关闭)
- Flutter/Dart中绑定对象的值发生变化时如何更改类的参数值?
- 尝试跟踪此功能,以便在程序运行 x 次后,会发生事情
© www.soinside.com 2019 - 2024. All rights reserved.