当前位置: 文江博客 话题详情

AWS Cloudformation - CodeCommit - 拒绝推送到 Master

发布于 2025-01-16 22:46:18 字数 2154 浏览 0 评论 0 原文

所以情况是这样的: 我有一个 Cloudformation,它创建 CodeCommit 存储库,其中包含一些额外的资源,以便其他 DevOps 流程正常工作。

我收到了阻止用户推送到特定分支的要求,在本例中为 master,我找到了执行此操作的策略。来源:https://docs.aws。 amazon.com/codecommit/latest/userguide/how-to-conditional-branch.html

因此,我编写了一个角色和策略,内容如下:

Resources:
  CodeCommitRepository:
    Type: AWS::CodeCommit::Repository
    Properties:
      RepositoryName: !Sub '${ProjectCode}-${ProjectName}-${ComponentName}'
      RepositoryDescription: !Ref CodeCommitRepositoryDescription
      Tags:
        - Key: fdr:general:project-code
          Value: !Ref ProjectCode
        - Key: fdr:general:project-name
          Value: !Ref ProjectName

  DenyPushRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${ProjectCode}-${ProjectName}-${ComponentName}-DenyPush-Role'
      ManagedPolicyArns:
        - !Ref DenyPushToMasterPolicy
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Action:
            - sts:AssumeRole
          Effect: Allow
          Principal:
            Service:
              - codecommit.amazonaws.com

  DenyPushToMasterPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub '${ProjectCode}-${ProjectName}-${ComponentName}-DenyPush-Policy'
      Description: Policy to deny push to master
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Action:
          - codecommit:GitPush
          - codecommit:PutFile
          - codecommit:DeleteBranch
          - codecommit:MergePullRequestByFastForward
          Effect: Deny
          Resource: !GetAtt CodeCommitRepository.Arn
          Condition:
            StringEqualsIfExists:
              codecommit:References: 
              - refs/heads/master
            'Null':
              codecommit:References: 'false'

据我了解,我不会说太多,通过创建角色与策略和 sts:AssumeRole 我认为使用该存储库的任何用户都会承担该角色,从而拒绝他们推送到 master 的能力,但事实并非如此。

我想我们可能会让事情变得过于复杂,我们应该将该策略直接应用于 IAM 上的所有用户,但我们的想法是让它做得非常精细。我做错了什么或者有可能吗?

此致

原文

So here is the situation:
I have a Cloudformation that creates CodeCommit repositories with some extra resources for other devops processes to work.

I got the requeriment to block users from doing a push to a specific branch, in this case master, I have found the policy that does that. source: https://docs.aws.amazon.com/codecommit/latest/userguide/how-to-conditional-branch.html

So I write a role and policy with the following:

Resources:
  CodeCommitRepository:
    Type: AWS::CodeCommit::Repository
    Properties:
      RepositoryName: !Sub '${ProjectCode}-${ProjectName}-${ComponentName}'
      RepositoryDescription: !Ref CodeCommitRepositoryDescription
      Tags:
        - Key: fdr:general:project-code
          Value: !Ref ProjectCode
        - Key: fdr:general:project-name
          Value: !Ref ProjectName

  DenyPushRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${ProjectCode}-${ProjectName}-${ComponentName}-DenyPush-Role'
      ManagedPolicyArns:
        - !Ref DenyPushToMasterPolicy
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Action:
            - sts:AssumeRole
          Effect: Allow
          Principal:
            Service:
              - codecommit.amazonaws.com

  DenyPushToMasterPolicy:
    Type: AWS::IAM::ManagedPolicy
    Properties:
      ManagedPolicyName: !Sub '${ProjectCode}-${ProjectName}-${ComponentName}-DenyPush-Policy'
      Description: Policy to deny push to master
      PolicyDocument:
        Version: 2012-10-17
        Statement:
        - Action:
          - codecommit:GitPush
          - codecommit:PutFile
          - codecommit:DeleteBranch
          - codecommit:MergePullRequestByFastForward
          Effect: Deny
          Resource: !GetAtt CodeCommitRepository.Arn
          Condition:
            StringEqualsIfExists:
              codecommit:References: 
              - refs/heads/master
            'Null':
              codecommit:References: 'false'

As I understand which I wouldn't say is much, by creating the Role with the Policy and the sts:AssumeRole I thought that any user using that repository will assume that role that denys them the ability to push to master but that wasn't the case.

I guess that we may be overcomplicating things and we should put that policy unto all users directly on IAM but the idea is to have it done very granular. What am I doing wrong or is it even possible?.

Best regards

如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。

扫码二维码加入Web技术交流群

发布评论

需要 登录 才能够评论, 你可以免费 注册 一个本站的账号。

评论(1

旧话新听 2025-01-23 22:46:18

DenyPushRole 不适合任何用户。您将其指定为仅适用于 codecommit.amazonaws.com,这是不正确

用户不会自动承担任何角色。他们必须使用 明确假设您的 DenyPushRole ="nofollow noreferrer">AssumeRole API 调用。您的用户还必须拥有 sts:AssumeRole 权限。

因此,您的角色,一般形式应该是:

  DenyPushRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${ProjectCode}-${ProjectName}-${ComponentName}-DenyPush-Role'
      ManagedPolicyArns:
        - !Ref DenyPushToMasterPolicy
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Action:
            - sts:AssumeRole
          Effect: Allow
          Principal:
            AWS: 
              - !Ref AWS::AccountId

一旦角色存在,并且用户有 sts:AssumeRole 来承担它,他们将使用 AssumeRole 命令来实际执行承担这个角色。这将提供新的临时 AWS 凭证来执行该角色指定的任何操作。在您的情况下,角色仅否认,因此他们无论如何都无法执行任何操作。您需要向角色添加一些 allow 语句,以便您的用户能够真正执行某些操作,而不仅仅是 deny

DenyPushRole is not for any users. You specified it to be only for codecommit.amazonaws.com which is incorrect.

Users do not automatically assume any roles. They have to explicitly assume your DenyPushRole using AssumeRole API call. Your users must also have permission to sts:AssumeRole.

Thus your role, in a general form, should be:

  DenyPushRole:
    Type: AWS::IAM::Role
    Properties:
      RoleName: !Sub '${ProjectCode}-${ProjectName}-${ComponentName}-DenyPush-Role'
      ManagedPolicyArns:
        - !Ref DenyPushToMasterPolicy
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
        - Action:
            - sts:AssumeRole
          Effect: Allow
          Principal:
            AWS: 
              - !Ref AWS::AccountId

Once the role exist, and the users have sts:AssumeRole to assume it, they will use the AssumeRole command to actually assume the role. This will give then new, temporary AWS credentials to perform any actions specified by the role. In your case, the role only denies, so they will not be able to do anything anyway. You would need to add some allow statements to the role for your uses to be actually able to do something, not only deny.

回复 原文
~没有更多了~

关于作者

安穩

暂无简介

文章
评论
25 人气
发私信

相关话题

更多

热门标签

操作系统 程序设计 IT运维 Linux系统管理 JavaScript 服务器应用 solaris C/C++ PHP Shell BSD Vue.js aix Oracle Python HTML 系统管理 HTML5 CSS 前端
更多

推荐作者

尘曦

文章 0 评论 0

在梵高的星空下

文章 0 评论 0

善良天后

文章 0 评论 0

韬韬不绝

文章 0 评论 0

qq_CgiN62

文章 0 评论 0

不美如何

文章 0 评论 0

更多

友情链接

文江博客
    我们使用 Cookies 和其他技术来定制您的体验包括您的登录状态等。通过阅读我们的 隐私政策 了解更多相关信息。 单击 接受 或继续使用网站,即表示您同意使用 Cookies 和您的相关数据。
    原文