How to assign a policy to adhoc user?

风流意气都作罢 提交于 2019-12-13 03:49:06

问题


Background:

With cross account role someaccountrole, I have access to aws account xyz.


Case 1

To create a stack in account xyz, we upload the Cloudformation file through console.

Amidst stack creation in Events tab, we see the very first event, as shown below:


Case 2

We create EC2 instance in xyz account.

Using sam deploy, where sam deploy is a wrapper of aws cloudformation deploy, we run below command from EC2, for stack creation:

aws cloudformation deploy --template-file cfntemplate.yml --stack-name somestack-test --region us-east-1

Amidst stack creation, we see the similar event created (as shown below):


In case 2, user is: arn:aws:sts::${AccountId}:assumed-role/Autodeploy/i-0000000cc4, where we created Autodeploy role and assigned to EC2. This user disappears after stack creation is complete.


But in case 2, user(i-0000000cc4) need permission to perform following operations, unlike case 1:

     {
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:CreateChangeSet",
                "cloudformation:CreateUploadBucket",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:DeleteStack",
                "cloudformation:Describe*",
                "cloudformation:UpdateStack"
            ],
            "Resource": [
                "arn:aws:cloudformation:us-east-1:${AccountId}:stack/somestack*”
            ],
            "Effect": "Allow"
        }

otherwise, Events tab gives below error in case 2:

User: arn:aws:sts::${AccountId}:assumed-role/Autodeploy/i-0000000cc4 
is not authorized to perform: cloudformation:CreateChangeSet on resource:
arn:aws:cloudformation:us-east-1:${AccountId}:stack/somestack-test

1) In case 1, permissions are given as someaccountrole for stack creation. but in case 2, Why stack creation through AWS CLI require stack creation permission?

2) How to assign an inline policy(short living) to such temporary session resource(i-0000000cc4) instead to an EC2??


回答1:


1) In case 1, permissions are given as someaccountrole for stack creation. but in case 2, Why stack creation through AWS CLI require stack creation permission?

The stack in case 1 is created by the role you specify with the Permissions stack option, see [1]. This AWS Identity and Access Management (IAM) service role usually has the required cloudformation:... permissions you listed above.

2) How to assign an inline policy(short living) to such temporary session resource(i-0000000cc4) instead to an EC2??

Assigning the policy to the EC2 instance's instance profile is correct!

If you want to run an AWS CLI command from the EC2 instance and you want to use the Instance Metadata service to authenticate your CLI session, you have to attach the required permissions as inline policy of the role which is attached to your EC2 instance via the instance profile.

For more information about the Instance Metadata Service, see [2][3]. For an unofficial but thorough blog post which explains the concepts well, see [4].

References

[1] https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cfn-console-add-tags.html
[2] https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-metadata.html
[3] https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html#instance-metadata-security-credentials
[4] https://blog.gruntwork.io/authenticating-to-aws-with-instance-metadata-b6d812a86b40



来源:https://stackoverflow.com/questions/57343279/how-to-assign-a-policy-to-adhoc-user

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!