有没有办法限制 IAM 角色可以在 IAM 策略上添加哪些操作?
Is there a way to restrict what actions can be added on an IAM Policy by an IAM Role?
我们希望我们的开发人员能够创建可以部署其服务的代码管道。这意味着他们需要能够为代码管道步骤创建 IAM 角色。
这意味着我们需要为开发人员提供 IAM 功能。有没有办法限制他们可以创建的 IAM 角色仅限于创建某些服务?比方说 ECS、EC2、RDS 相关操作。或者可能专门将某些服务列入黑名单,例如 IAM 相关操作。
是的。我们通过为我们的开发人员提供一个角色(可由 CodeBuild 承担)来做到这一点,该角色能够创建其他角色,但要遵守权限边界。我们鼓励他们将 CodePipeline 分成多个阶段,并为每个阶段分配不同的角色。他们使用此 CodeBuild 角色来启动他们的管道。这些角色在可以传递给哪些服务以及可以执行哪些操作方面受到限制。
Quasi-Cloudformation 下面是关于如何执行此操作的信息:
DeveloperPipelineCreateRole:
Type: AWS::IAM::Role
Properties:
RoleName: "Developer-pipeline-create-role"
ManagedPolicyArns:
- !Ref DeveloperPipelineCreatePolicy
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
DeveloperPipelineCreatePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: "Developer-pipeline-create-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowCreateRoles
Effect: Allow
Action:
- iam:CreateRole
- iam:DetachRolePolicy
- iam:AttachRolePolicy
- iam:PutRolePermissionsBoundary
Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
Condition:
StringEquals:
iam:PermissionsBoundary:
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/pipeline-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/source-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/build-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/deploy-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/execution-iam-boundary'
CodePipelineBoundary:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub "pipeline-iam-boundary"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- iam:PassRole
Resource: "*"
Effect: Allow
Condition:
StringEqualsIfExists:
iam:PassedToService:
- cloudformation.amazonaws.com
- elasticbeanstalk.amazonaws.com
- ec2.amazonaws.com
- ecs-tasks.amazonaws.com
- Sid: AddStuffYourPipelineRoleMightDo
Effect: Allow
Action: (something)
Resource: (something)
SourceBoundary: (similar to above)
BuildBoundary: (similar to above)
...
我们希望我们的开发人员能够创建可以部署其服务的代码管道。这意味着他们需要能够为代码管道步骤创建 IAM 角色。
这意味着我们需要为开发人员提供 IAM 功能。有没有办法限制他们可以创建的 IAM 角色仅限于创建某些服务?比方说 ECS、EC2、RDS 相关操作。或者可能专门将某些服务列入黑名单,例如 IAM 相关操作。
是的。我们通过为我们的开发人员提供一个角色(可由 CodeBuild 承担)来做到这一点,该角色能够创建其他角色,但要遵守权限边界。我们鼓励他们将 CodePipeline 分成多个阶段,并为每个阶段分配不同的角色。他们使用此 CodeBuild 角色来启动他们的管道。这些角色在可以传递给哪些服务以及可以执行哪些操作方面受到限制。
Quasi-Cloudformation 下面是关于如何执行此操作的信息:
DeveloperPipelineCreateRole:
Type: AWS::IAM::Role
Properties:
RoleName: "Developer-pipeline-create-role"
ManagedPolicyArns:
- !Ref DeveloperPipelineCreatePolicy
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service:
- codebuild.amazonaws.com
Action:
- sts:AssumeRole
DeveloperPipelineCreatePolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: "Developer-pipeline-create-policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowCreateRoles
Effect: Allow
Action:
- iam:CreateRole
- iam:DetachRolePolicy
- iam:AttachRolePolicy
- iam:PutRolePermissionsBoundary
Resource: !Sub 'arn:aws:iam::${AWS::AccountId}:role/*'
Condition:
StringEquals:
iam:PermissionsBoundary:
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/pipeline-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/source-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/build-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/deploy-iam-boundary'
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/execution-iam-boundary'
CodePipelineBoundary:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: !Sub "pipeline-iam-boundary"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Action:
- iam:PassRole
Resource: "*"
Effect: Allow
Condition:
StringEqualsIfExists:
iam:PassedToService:
- cloudformation.amazonaws.com
- elasticbeanstalk.amazonaws.com
- ec2.amazonaws.com
- ecs-tasks.amazonaws.com
- Sid: AddStuffYourPipelineRoleMightDo
Effect: Allow
Action: (something)
Resource: (something)
SourceBoundary: (similar to above)
BuildBoundary: (similar to above)
...