如何允许用户仅从服务目录启动 EC2 实例?
How to allow users to launch EC2 instances only from Service Catalog?
我创建了一个服务目录产品组合和产品,旨在让用户启动他们自己的质量保证环境。我已经为部分用户提供了 AWS 托管策略 "ServiceCatalogEndUserFullAccess"(如下),以便他们可以启动产品,但是他们似乎还需要对模板创建的资源(在本例中,只是 EC2 和 ELB)的个人权限).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"catalog-user:*",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplateSummary",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate",
"cloudformation:UpdateStack",
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ListLaunchPaths",
"servicecatalog:ProvisionProduct",
"servicecatalog:SearchProducts",
"s3:GetObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"servicecatalog:DescribeRecord",
"servicecatalog:ListRecordHistory",
"servicecatalog:ScanProvisionedProducts",
"servicecatalog:TerminateProvisionedProduct",
"servicecatalog:UpdateProvisionedProduct"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"servicecatalog:userLevel": "self"
}
}
}
]
}
因此,模板在 CloudFormation 中失败并回滚,出现如下错误:
API:ec2:runInstances - You are not authorized to perform this operation.
理想情况下,我想限制用户仅从服务目录启动 EC2 的能力,或者更具体地说,我们的暂存 VPC 启动 EC2 的能力,但从我目前阅读的内容来看,这两者似乎都不可能。有什么方法可以授予这种级别的精细权限,以便用户只能启动他们选择的特定服务目录产品中的资源?
您的策略已授予用户使用 服务目录的权限,但这不足以允许他们启动实际资源。
有两种方法可以授予启动资源的权限(例如 Amazon EC2):
- 向 IAM 用户 本身授予权限,或
- 将启动角色分配给产品的启动约束
来自 Applying a Launch Constraint 文档:
Without a launch constraint, end users must launch and manage products with their own IAM credentials. To do so, they must have permissions for AWS CloudFormation, the AWS services used by the products, and AWS Service Catalog. By using a launch role, you can instead limit the end users' permissions to the minimum that they require.
因此,创建一个具有启动 EC2 实例所需权限的启动角色,但只授予用户从服务目录启动产品所需的最低权限。
我创建了一个服务目录产品组合和产品,旨在让用户启动他们自己的质量保证环境。我已经为部分用户提供了 AWS 托管策略 "ServiceCatalogEndUserFullAccess"(如下),以便他们可以启动产品,但是他们似乎还需要对模板创建的资源(在本例中,只是 EC2 和 ELB)的个人权限).
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"catalog-user:*",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplateSummary",
"cloudformation:SetStackPolicy",
"cloudformation:ValidateTemplate",
"cloudformation:UpdateStack",
"servicecatalog:DescribeProduct",
"servicecatalog:DescribeProductView",
"servicecatalog:DescribeProvisioningParameters",
"servicecatalog:ListLaunchPaths",
"servicecatalog:ProvisionProduct",
"servicecatalog:SearchProducts",
"s3:GetObject"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"servicecatalog:DescribeRecord",
"servicecatalog:ListRecordHistory",
"servicecatalog:ScanProvisionedProducts",
"servicecatalog:TerminateProvisionedProduct",
"servicecatalog:UpdateProvisionedProduct"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"servicecatalog:userLevel": "self"
}
}
}
]
}
因此,模板在 CloudFormation 中失败并回滚,出现如下错误:
API:ec2:runInstances - You are not authorized to perform this operation.
理想情况下,我想限制用户仅从服务目录启动 EC2 的能力,或者更具体地说,我们的暂存 VPC 启动 EC2 的能力,但从我目前阅读的内容来看,这两者似乎都不可能。有什么方法可以授予这种级别的精细权限,以便用户只能启动他们选择的特定服务目录产品中的资源?
您的策略已授予用户使用 服务目录的权限,但这不足以允许他们启动实际资源。
有两种方法可以授予启动资源的权限(例如 Amazon EC2):
- 向 IAM 用户 本身授予权限,或
- 将启动角色分配给产品的启动约束
来自 Applying a Launch Constraint 文档:
Without a launch constraint, end users must launch and manage products with their own IAM credentials. To do so, they must have permissions for AWS CloudFormation, the AWS services used by the products, and AWS Service Catalog. By using a launch role, you can instead limit the end users' permissions to the minimum that they require.
因此,创建一个具有启动 EC2 实例所需权限的启动角色,但只授予用户从服务目录启动产品所需的最低权限。