如何要求用户使用 scp 设置其 role_session_name
使用 scp,我希望在运行 terraform 模板时向在我的组织帐户中承担角色的用户要求 role_session_name。 role_session_name 值需要等于其 iam username。 我已在我的组织中附加了以下 scp
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "*",
"Condition": {
"StringNotLike": {
"sts:RoleSessionName": [
"${aws:username}"
]
}
}
}
]
}
的 ~/.aws/config 文件内容下方,
[profile my_profile]
region = us-west-3
role_arn = arn:aws:iam:ACOUNT_ID:role/role_name
output = json
在 terraform 模板的 provider 部分下面
provider "aws" {
shared_credentials = "~/.aws/credentials"
region = "eu-west-3"
profile = "my_profile"
}
未指定 role_session_name = my_aws_user_name ` 在配置文件中,我能够运行模板而不会被 scp 阻止。
请问如何实现这一点?
谢谢
Using scp, I would like to require role_session_name to users who assume roles in my organization accounts when running terraform template. The role_session_name value need to be equals to their iam username.
I have attached below scp in my organization
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "sts:AssumeRole",
"Resource": "*",
"Condition": {
"StringNotLike": {
"sts:RoleSessionName": [
"${aws:username}"
]
}
}
}
]
}
Below the ~/.aws/config file content
[profile my_profile]
region = us-west-3
role_arn = arn:aws:iam:ACOUNT_ID:role/role_name
output = json
below provider section of terraform template
provider "aws" {
shared_credentials = "~/.aws/credentials"
region = "eu-west-3"
profile = "my_profile"
}
Without specifying role_session_name = my_aws_user_name` inside the config file, I am able to run the template without being blocked by the scp.
How to achieve this please ?
Thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
编辑
我终于设置了一个AWS组织来测试。您现在拥有的 SCP 运行良好。角色位于帐户 A 中。SCP 附加到帐户 B:
使用帐户 B 中的用户,我尝试使用随机会话名称在帐户 A 中承担角色。访问被拒绝。
但是当我使用与我的用户名相同的会话名称时,我就可以了。
EDIT
I finally setup an AWS organization to test. The SCP as you now have is working fine. Role is in account A. SCP attached to account B:
Using a user in account B, I tried to assume a Role in Account A using a random session name. Got access denied.
But when I use a session name that is same as my username, I am able to.
调用 AssumeRole 操作时发生错误 (AccessDenied):用户:arn:aws:iam:::user/ 无权对资源执行:sts:AssumeRole:arn:aws:iam:::role/T
此问题是您的个人资料帐户没有其他帐户的权限附加策略,因此我授予 IAM 角色的完全访问权限,然后运行正常。
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam:::user/ is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:::role/T
this issue is your profile account doesnt has permission attach policy for other account, so I give the IAM full access of role then run fine.