AWS ProtonIAM 服務角色政策範例 - AWS Proton

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

AWS ProtonIAM 服務角色政策範例

管理員擁有和管理資源AWS Proton依環境和服務範本所定義建立。他們將 IAM 服務角色附加到允許的帳戶AWS Proton代表他們創建資源。管理員提供 IAM 角色和AWS Key Management Service後來由開發人員擁有和管理的資源密鑰AWS Proton將其應用程式部署為AWS Proton服務AWS Proton環境。如需有關 的詳細資訊AWS KMS和資料加密,請參閱AWS Proton 中的資料保護

服務角色是允許的 Amazon Web Services(IAM)角色AWS Proton代表您呼叫資源。如果您指定服務角色,AWS Proton 就會使用角色的登入資料。使用服務角色明確指定動作AWS Proton可以執行。

您使用 IAM 服務建立服務角色及其許可政策。如需建立服務角色的詳細資訊,請參閱建立角色以委派許可AWS服務中的IAM User Guide

AWS Proton 服務角色

作為平台團隊的成員,您可以作為管理員創建AWS Proton要允許的服務角色AWS Proton對其他服務進行 API 呼叫 CloudFormation,會代表您。

我們建議您針對您使用下列 IAM 角色和信任政策。AWS Proton服務角色 當您使用AWS Proton控制台來創建你的角色,這是AWS Proton服務角色政策AWS Proton為您創造。當將此政策的許可限定範圍時,請注意:AWS Proton失敗Access Denied錯誤。

重要

請注意,下列範例中顯示的策略會將管理員權限授予任何可向您帳戶註冊範本的任何人。因為我們不知道您將在其中定義哪些資源AWS Proton範本,這些原則具有廣泛的權限。我們建議您將權限範圍縮小到將在您的環境中部署的特定資源。

IAMAWS Proton服務角色政策

用您的 AWS 帳戶 ID 取代 123456789012

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CancelUpdateStack", "cloudformation:ContinueUpdateRollback", "cloudformation:CreateChangeSet", "cloudformation:CreateStack", "cloudformation:DeleteChangeSet", "cloudformation:DeleteStack", "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResourceDrifts", "cloudformation:DescribeStacks", "cloudformation:DetectStackResourceDrift", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:ListStackResources", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:*:123456789012:stack/AWSProton-*" }, { "Effect": "Allow", "NotAction": [ "organizations:*", "account:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["cloudformation.amazonaws.com"] } } }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "account:ListRegions" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["cloudformation.amazonaws.com"] } } } ] }

IAMAWS Proton服務信任政策

{ "Version": "2012-10-17", "Statement": { "Sid": "ServiceTrustRelationshipWithConfusedDeputyPrevention", "Effect": "Allow", "Principal": {"Service": "proton.amazonaws.com"}, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws::proton:*:123456789012:environment/*" } } } }

以下是範圍向下的範例AWS Proton只需要時可以使用的服務角色策略AWS Proton佈建 S3 資源的服務。

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CancelUpdateStack", "cloudformation:ContinueUpdateRollback", "cloudformation:CreateChangeSet", "cloudformation:CreateStack", "cloudformation:DeleteChangeSet", "cloudformation:DeleteStack", "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResourceDrifts", "cloudformation:DescribeStacks", "cloudformation:DetectStackResourceDrift", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:ListStackResources", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:*:123456789012:stack/AWSProton-*" }, { "Effect": "Allow", "Action": ["s3:*"], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["cloudformation.amazonaws.com"] } } } ] }

AWS Proton管線服務角色

身為平台團隊的成員,您身為管理員,可以建立AWS Proton要允許的管線服務角色AWS Proton製作 CloudFormation 用於部署管道的 API 呼叫 CloudFormation 會代表您堆疊。

我們建議您針對您使用下列 IAM 角色和信任政策。AWS Proton管線服務角色。當您使用AWS Proton控制台來創建你的角色,這是AWS Proton管線服務角色政策AWS Proton為您創造。當將此政策的許可限定範圍時,請注意:AWS Proton失敗Access Denied錯誤。

重要

請注意,下列範例中顯示的策略會將管理員權限授予任何可向您帳戶註冊範本的任何人。因為我們不知道您將在其中定義哪些資源AWS Proton範本,這些原則具有廣泛的權限。我們建議您將權限範圍縮小到將部署在管道中的特定資源。

IAMAWS Proton管線服務角色政策

用您的 AWS 帳戶 ID 取代 123456789012

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CancelUpdateStack", "cloudformation:ContinueUpdateRollback", "cloudformation:CreateChangeSet", "cloudformation:CreateStack", "cloudformation:DeleteChangeSet", "cloudformation:DeleteStack", "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackDriftDetectionStatus", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResourceDrifts", "cloudformation:DescribeStacks", "cloudformation:DetectStackResourceDrift", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:ListStackResources", "cloudformation:UpdateStack" ], "Resource": "arn:aws:cloudformation:*:123456789012:stack/AWSProton-*" }, { "Effect": "Allow", "NotAction": [ "organizations:*", "account:*" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["cloudformation.amazonaws.com"] } } }, { "Effect": "Allow", "Action": [ "organizations:DescribeOrganization", "account:ListRegions" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": ["cloudformation.amazonaws.com"] } } } ] }

IAMAWS Proton管線服務信任政策

{ "Version": "2012-10-17", "Statement": { "Sid": "PipelineTrustRelationshipWithConfusedDeputyPrevention", "Effect": "Allow", "Principal": {"Service": "proton.amazonaws.com"}, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws::proton:*:123456789012:environment/*" } } } }

若要查看已停用範圍政策範例,請參閱AWS Proton 服務角色

AWS Proton元件角色

作為平台團隊的成員,您可以作為管理員創建AWS Proton要允許的服務角色AWS Proton以代表您佈建直接定義的元件。此角色會縮減直接定義元件可佈建的基礎結構的範圍。如需元件的詳細資訊,請參閱AWS Proton 元件

以下範例政策支援建立直接定義的元件,佈建 Amazon Simple Storage Service (Amazon S3) 儲存貯體和相關存取政策。

IAMAWS Proton直接定義的元件政策範例

用您的 AWS 帳戶 ID 取代 123456789012

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CancelUpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet", "cloudformation:DescribeStacks", "cloudformation:ContinueUpdateRollback", "cloudformation:DetectStackResourceDrift", "cloudformation:DescribeStackResourceDrifts", "cloudformation:DescribeStackEvents", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:UpdateStack", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:ListStackResources" ], "Resource": "arn:aws:cloudformation:*:123456789012:stack/AWSProton-*" }, { "Effect": "Allow", "Action": [ "s3:CreateBucket", "s3:DeleteBucket", "s3:GetBucket", "iam:CreatePolicy", "iam:DeletePolicy", "iam:GetPolicy", "iam:ListPolicyVersions", "iam:DeletePolicyVersion" ], "Resource": "*", "Condition": { "ForAnyValue:StringEquals": { "aws:CalledVia": "cloudformation.amazonaws.com" } } } ] }

IAMAWS Proton服務信任政策

{ "Version": "2012-10-17", "Statement": { "Sid": "ServiceTrustRelationshipWithConfusedDeputyPrevention", "Effect": "Allow", "Principal": {"Service": "proton.amazonaws.com"}, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "aws:SourceAccount": "123456789012" }, "ArnLike": { "aws:SourceArn": "arn:aws::proton:*:123456789012:environment/*" } } } }