是否可以定义AWS IAM权限以仅创建具有特定标签的RDS iNSAS？

发布于 2025-01-31 18:35:23 字数 890 浏览 2 评论 0原文

我正在尝试定义IAM角色 +策略，以通过云形式来部署和管理RDS实例。因此，我正在写一个IAM角色，该角色将传递给部署的云形象。

该角色应允许使用特定标签部署和管理RDS实例，而不是创建任何没有标签的实例。

因此，我正在尝试的角色是此（IAM策略）：

    {
        "Condition": {
            "StringEquals": {
                "rds:req-tag/Project": "myproject" 
            }
        },
        "Action": [
            "rds:Create*",
            "rds:Restore*"
        ],
        "Resource": "*",
        "Effect": "Allow"
    },

然而，当我尝试使用cloudformation创建标签project = myProject的rds实例时，我会得到：

API: rds:CreateDBInstance User: <me> is not authorized to perform: rds:CreateDBInstance on resource: arn:aws:rds:eu-central-1:078433912766:db:ss9wm5ynvx3n8i because no identity-based policy allows the rds:CreateDBInstance action

通过云图，在我看来，云形式不会发送创建实例时的标签，这可能是导致失败的原因。

所以我想知道：我在提出什么可能吗？还是我必须接受以下事实，即我不能限制云形式，以便它只能创建具有特定标签的RDS实例？

原文

I am trying to define an IAM Role + Polices to be used to deploy and manage RDS Instances via Cloudformation. So I am writing a IAM Role, that will be passed to Cloudformation for the deployment.

The Role should allow to deploy and manage RDS instances with specific tags, and not create any instance that does not have the tags.

So what I am trying int the role is this (IAM Policy):

    {
        "Condition": {
            "StringEquals": {
                "rds:req-tag/Project": "myproject" 
            }
        },
        "Action": [
            "rds:Create*",
            "rds:Restore*"
        ],
        "Resource": "*",
        "Effect": "Allow"
    },

Yet, when I try to create RDS Instance with the Tag Project=myproject using Cloudformation, I get:

API: rds:CreateDBInstance User: <me> is not authorized to perform: rds:CreateDBInstance on resource: arn:aws:rds:eu-central-1:078433912766:db:ss9wm5ynvx3n8i because no identity-based policy allows the rds:CreateDBInstance action

Lookling through CloudTrail it seems to me, that Cloudformation does not send the tags when creating the Instance, which is probably the reason why this fails.

So I wonder: is what I am tyring even possible? Or do I have to accept the fact, that I cannot restrict Cloudformation so that it can only create RDS Instances with specific tags?

分享到QQ

分享到微博

如果你对这篇内容有疑问，欢迎到本站社区发帖提问参与讨论，获取更多帮助，或者扫码二维码加入 Web 技术交流群。

发布评论

需要登录才能够评论，你可以免费注册一个本站的账号。

寄居人 2025-02-07 18:35:23

测试了以下策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringEquals": {
                    "rds:req-tag/Project": "myproject"
                }
            },
            "Action": [
                "rds:Create*",
                "rds:Restore*",
                "rds:AddTagsToResource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

我使用以下CLI命令

aws rds create-db-instance \
    --db-instance-identifier test-mysql-instance \
    --db-instance-class db.t3.micro \
    --engine mysql \
    --master-username admin \
    --master-user-password secret99 \
    --allocated-storage 20 \
    --region us-east-1 \
    --tags Key=Project,Value=myproject

，并且可以确认它是按预期工作的。

I tested the following policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Condition": {
                "StringEquals": {
                    "rds:req-tag/Project": "myproject"
                }
            },
            "Action": [
                "rds:Create*",
                "rds:Restore*",
                "rds:AddTagsToResource"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

with the following CLI command

aws rds create-db-instance \
    --db-instance-identifier test-mysql-instance \
    --db-instance-class db.t3.micro \
    --engine mysql \
    --master-username admin \
    --master-user-password secret99 \
    --allocated-storage 20 \
    --region us-east-1 \
    --tags Key=Project,Value=myproject

and I can confirm that it's working as intended.

回复收藏 0 原文

~没有更多了~