本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
AWSSupport-GrantPermissionsToIAMUser
描述
此 Runbook 向IAM群组(新群组或现有群组)授予指定权限,并将现有IAM用户添加到该群组。您可以选择的策略:账单
重要
如果您提供现有IAM群组,则该群组中的所有当前IAM用户都将获得新的权限。
文档类型
自动化
所有者
Amazon
平台
Linux,macOS, Windows
参数
-
AutomationAssumeRole
类型:字符串
描述:(可选)允许 Systems ARN Manager Automation 代表您执行操作的 AWS Identity and Access Management (IAM) 角色的亚马逊资源名称 ()。如果未指定角色,Systems Manager Automation 将使用启动此运行手册的用户的权限。
-
IAMGroupName
类型:字符串
默认: ExampleSupportAndBillingGroup
描述:(必需)可以是新组或现有组。必须遵守IAM实体名称限制。
-
IAMUserName
类型:字符串
默认: ExampleUser
描述:(必需)必须是现有用户。
-
LambdaAssumeRole
类型:字符串
描述:(可选)lambda 所担任的角色。ARN
-
权限
类型:字符串
有效值: SupportFullAccess | BillingFullAccess | SupportAndBillingFullAccess
默认: SupportAndBillingFullAccess
描述:(必需)选择以下值之一:
SupportFullAccess
授予支持中心的完全访问权限。BillingFullAccess
授予“账单”控制面板的完全访问权限。SupportAndBillingFullAccess
授予支持中心和“账单”控制面板的完全访问权限。有关策略的更多信息,请参阅文档详细信息。
所需的 IAM 权限
AutomationAssumeRole
参数需要执行以下操作才能成功使用运行手册。
所需的权限取决于 AWSSupport-GrantPermissionsToIAMUser
的运行方式。
以当前登录的用户或角色运行
建议您附加AmazonSSMAutomationRole
亚马逊托管策略以及以下额外权限,以便能够创建 Lambda 函数和要传递给 Lambda 的IAM角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction"
],
"Resource": "arn:aws:lambda:*:ACCOUNTID:function:AWSSupport-*",
"Effect": "Allow"
},
{
"Effect" : "Allow",
"Action" : [
"iam:CreateGroup",
"iam:AddUserToGroup",
"iam:ListAttachedGroupPolicies",
"iam:GetGroup",
"iam:GetUser"
],
"Resource" : [
"arn:aws:iam::*:user/*",
"arn:aws:iam::*:group/*"
]
},
{
"Effect" : "Allow",
"Action" : [
"iam:AttachGroupPolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::aws:policy/job-function/Billing",
"arn:aws:iam::aws:policy/AWSSupportAccess"
]
}
}
},
{
"Effect" : "Allow",
"Action" : [
"iam:ListAccountAliases",
"iam:GetAccountSummary"
],
"Resource" : "*"
}
]
}
使用 AutomationAssumeRole 和 LambdaAssumeRole
用户必须对运行手册具有 ssm: StartAutomationExecution 权限,对作为AutomationAssumeRole和传递的IAM角色必须具有 PassRole iam: 权限。LambdaAssumeRole以下是每个IAM角色所需的权限:
AutomationAssumeRole
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:InvokeFunction",
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:GetFunction"
],
"Resource": "arn:aws:lambda:*:ACCOUNTID:function:AWSSupport-*",
"Effect": "Allow"
}
]
}
LambdaAssumeRole
{
"Version": "2012-10-17",
"Statement": [
{
"Effect" : "Allow",
"Action" : [
"iam:CreateGroup",
"iam:AddUserToGroup",
"iam:ListAttachedGroupPolicies",
"iam:GetGroup",
"iam:GetUser"
],
"Resource" : [
"arn:aws:iam::*:user/*",
"arn:aws:iam::*:group/*"
]
},
{
"Effect" : "Allow",
"Action" : [
"iam:AttachGroupPolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyArn": [
"arn:aws:iam::aws:policy/job-function/Billing",
"arn:aws:iam::aws:policy/AWSSupportAccess"
]
}
}
},
{
"Effect" : "Allow",
"Action" : [
"iam:ListAccountAliases",
"iam:GetAccountSummary"
],
"Resource" : "*"
}
]
}
文档步骤
-
aws:createStack
-运行 AWS CloudFormation 模板创建 Lambda 函数。 -
aws:invokeLambdaFunction
-运行 Lambda 来设置IAM权限。 -
aws:deleteStack
-删除 CloudFormation 模板。
输出
配置 IAM .Payloa