问题
Background:
With cross account role someaccountrole
, I have access to aws account xyz
.
Case 1
To create a stack in account xyz
, we upload the Cloudformation file through console.
Amidst stack creation in Events
tab, we see the very first event, as shown below:
Case 2
We create EC2 instance in xyz
account.
Using sam deploy, where sam deploy
is a wrapper of aws cloudformation deploy
, we run below command from EC2, for stack creation:
aws cloudformation deploy --template-file cfntemplate.yml --stack-name somestack-test --region us-east-1
Amidst stack creation, we see the similar event created (as shown below):
In case 2, user is: arn:aws:sts::${AccountId}:assumed-role/Autodeploy/i-0000000cc4
, where we created Autodeploy
role and assigned to EC2. This user disappears after stack creation is complete.
But in case 2, user(i-0000000cc4
) need permission to perform following operations, unlike case 1:
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:CreateChangeSet",
"cloudformation:CreateUploadBucket",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteStack",
"cloudformation:Describe*",
"cloudformation:UpdateStack"
],
"Resource": [
"arn:aws:cloudformation:us-east-1:${AccountId}:stack/somestack*”
],
"Effect": "Allow"
}
otherwise, Events
tab gives below error in case 2:
User: arn:aws:sts::${AccountId}:assumed-role/Autodeploy/i-0000000cc4
is not authorized to perform: cloudformation:CreateChangeSet on resource:
arn:aws:cloudformation:us-east-1:${AccountId}:stack/somestack-test
1) In case 1, permissions are given as someaccountrole
for stack creation. but in case 2, Why stack creation through AWS CLI require stack creation permission?
2) How to assign an inline policy(short living) to such temporary session resource(i-0000000cc4
) instead to an EC2??
回答1:
1) In case 1, permissions are given as someaccountrole for stack creation. but in case 2, Why stack creation through AWS CLI require stack creation permission?
The stack in case 1 is created by the role you specify with the Permissions stack option, see [1]. This AWS Identity and Access Management (IAM) service role usually has the required cloudformation:...
permissions you listed above.
2) How to assign an inline policy(short living) to such temporary session resource(i-0000000cc4) instead to an EC2??
Assigning the policy to the EC2 instance's instance profile is correct!
If you want to run an AWS CLI command from the EC2 instance and you want to use the Instance Metadata service to authenticate your CLI session, you have to attach the required permissions as inline policy of the role which is attached to your EC2 instance via the instance profile.
For more information about the Instance Metadata Service, see [2][3]. For an unofficial but thorough blog post which explains the concepts well, see [4].
References
[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html
[2] https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-metadata.html
[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials
[4] https://blog.gruntwork.io/authenticating-to-aws-with-instance-metadata-b6d812a86b40
来源:https://stackoverflow.com/questions/57343279/how-to-assign-a-policy-to-adhoc-user