使用有限的IAM角色用户创建EB env
问题描述 投票:0回答:1
我正在尝试创建一个受限访问的IAM用户,只允许管理特定EB应用程序下的环境。
意思是,在名为X的EB应用程序下,用户将能够创建/删除/修改任何存在的环境。
这失败了。 IAM用户可以登录,创建环境,但在设置阶段我得到以下错误(图片来自环境仪表板日志) -
目前,用户的IAM策略如下所示 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:PassRole",
"iam:ListAttachedRolePolicies",
"ec2:*",
"cloudformation:*",
"elasticbeanstalk:CheckDNSAvailability",
"iam:ListRolePolicies",
"autoscaling:*",
"iam:GetRolePolicy",
"elasticbeanstalk:ListPlatformVersions"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::elasticbeanstalk-*/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObjectAcl",
"s3:PutBucketPolicy",
"s3:CreateBucket",
"s3:ListBucket",
"s3:DeleteObject",
"s3:GetBucketPolicy",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::elasticbeanstalk-[aws-area]-[root-user-id]",
"arn:aws:s3:::elasticbeanstalk-[aws-area]-[root-user-id]/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "elasticbeanstalk:*",
"Resource": [
"arn:aws:elasticbeanstalk:*:*:configurationtemplate/[app-name]/*",
"arn:aws:elasticbeanstalk:[aws-area]:[root-user-id]:environment/[app-name]/*",
"arn:aws:elasticbeanstalk:[aws-area]:[root-user-id]:applicationversion/[app-name]/*",
"arn:aws:elasticbeanstalk:[aws-area]:[root-user-id]:application/[app-name]",
"arn:aws:elasticbeanstalk:*::solutionstack/*"
]
}
]
}
有没有解决的办法?如何关联个人资料?似乎缺少某些权限,AWS无法附加实例配置文件或其他内容
1个回答
0
投票
投票
这是我无法使用已发布政策后提出的政策。我确信这可以进行更多调整,以使其更精确等。
以下特定策略将允许用户与单个EB应用程序进行交互。请注意,EB要求对某些AWS服务(如EC2,S3,Cloudformation等)进行完全访问。
如亚马逊的文档所述 -
虽然您可以限制用户与Elastic Beanstalk API的交互方式,但目前还没有一种有效的方法可以阻止有权创建必要的底层资源的用户在Amazon EC2和其他服务中创建其他资源。
政策 -
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateEnvironment",
"Effect": "Allow",
"Action": "elasticbeanstalk:CreateEnvironment",
"Resource": [
"arn:aws:elasticbeanstalk:[zone]:[user-id]:environment/[eb-app-name]/*",
"arn:aws:elasticbeanstalk:[zone]:[user-id]:application/[eb-app-name]/*"
]
},
{
"Sid": "GlobalUnspecificResources",
"Effect": "Allow",
"Action": [
"sns:*",
"iam:List*",
"s3:*",
"cloudwatch:*",
"ecs:*",
"ec2:*",
"cloudformation:*",
"sqs:*",
"autoscaling:*",
"elasticloadbalancing:*",
"elasticbeanstalk:DescribePlatformVersion",
"elasticbeanstalk:DescribeConfigurationSettings",
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:ListPlatformVersions",
"elasticbeanstalk:DescribeConfigurationOptions",
],
"Resource": "*"
},
{
"Sid": "IAMActions",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:Get*",
"iam:PassRole",
"iam:CreateRole",
"iam:AddRoleToInstanceProfile"
],
"Resource": [
"*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"elasticbeanstalk:ComposeEnvironments",
"elasticbeanstalk:AbortEnvironmentUpdate",
"elasticbeanstalk:TerminateEnvironment",
"elasticbeanstalk:DescribeEnvironmentManagedActionHistory",
"elasticbeanstalk:ValidateConfigurationSettings",
"elasticbeanstalk:DescribeEnvironmentResources",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RebuildEnvironment",
"elasticbeanstalk:UpdateApplicationVersion",
"elasticbeanstalk:DescribeEnvironments",
"elasticbeanstalk:DescribeInstancesHealth",
"elasticbeanstalk:DescribeApplicationVersions",
"elasticbeanstalk:DescribeEnvironmentHealth",
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DeleteConfigurationTemplate",
"elasticbeanstalk:RestartAppServer",
"elasticbeanstalk:CreateConfigurationTemplate",
"elasticbeanstalk:UpdateConfigurationTemplate",
"elasticbeanstalk:UpdateApplication",
"elasticbeanstalk:DescribeEnvironmentManagedActions",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ApplyEnvironmentManagedAction",
"elasticbeanstalk:DescribeEvents",
"elasticbeanstalk:CreateEnvironment",
"elasticbeanstalk:DeleteEnvironmentConfiguration",
"elasticbeanstalk:UpdateEnvironment",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Resource": [
"arn:aws:elasticbeanstalk:[zone]:[user-id]:application/[eb-app-name]",
"arn:aws:elasticbeanstalk:[zone]:[user-id]:application/[eb-app-name]/*",
"arn:aws:elasticbeanstalk:*:*:environment/*/*",
"arn:aws:elasticbeanstalk:*:*:applicationversion/*/*",
"arn:aws:elasticbeanstalk:*:*:configurationtemplate/*/*"
]
}
]
}
将区域替换为您使用的区域,具有主帐户用户ID的用户ID等。
使用的资源:
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.managed-policies.html
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.actions.html
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/AWSHowTo.iam.policies.arn.html
- https://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles-user.html
- https://gist.github.com/magnetikonline/5034bdbb049181a96ac9
最新问题
- 使用 python、playwright 和 2captch 进行自动化时无法提交验证码
- 如何确保资源和嵌套资源是单一的?
- 生锈测试:未使用过的进口产品
- Selenium 无法定位任何元素
- 受控Z门没有效果
- 颤振中图像下方的步进器自定义视图
- 创建一个循环将数据从一个工作簿复制到另一个工作簿,然后将结果复制回原始工作簿
- dracut-install:找不到模块“hid-polostar”
- c++ 和 std::float64_t 如何使用它
- gdb - 哪个变量位于给定的堆栈地址
- Android Room:如何从关系表中提取数据?
- 如何在Delphi中使用记录实现Builder模式而不创建副本?
- 使用 cv2 和 Streamlit lib 时发生 Streamlit 部署错误
- GDB 可以调试通过没有可用源代码的程序启动的劣质进程吗?
- Configuration.set可以在Mapper中使用吗?
- 每次我尝试运行我的应用程序时,都会收到“运行‘main.dart’时出错:入口点不在 Flutter pub root 内”
- 在UILabel中显示分数
- 通过命令行或 powershell 5.1 调用时,Powershell 7.2 操作不起作用
- 多处理嵌套 DictProxy 对象不允许使用 .items()
- 如何让hadoop put创建不存在的目录
© www.soinside.com 2019 - 2024. All rights reserved.