允许 AWS 上的高级用户管理他们的密码和密钥
Allow power users on AWS to manage their passwords and keys
我在 AWS 上创建了具有 poweruser 策略的用户。政策是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
现在,根据文档 (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-credentials),我创建了允许用户管理自己的密码和密钥的自定义策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
我仍然遇到错误
User: arn:aws:iam::1234567890:user/student is not authorized to perform: iam:CreateLoginProfile on resource: user student. Simulation gives explicit deny error, which is not the case according to these policies.
请参阅下面的代码account-id-without-hyphens 将其替换为您的帐号即可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
我在 AWS 上创建了具有 poweruser 策略的用户。政策是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"NotAction": "iam:*",
"Resource": "*"
}
]
}
现在,根据文档 (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_delegate-permissions_examples.html#creds-policies-credentials),我创建了允许用户管理自己的密码和密钥的自定义策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}
我仍然遇到错误
User: arn:aws:iam::1234567890:user/student is not authorized to perform: iam:CreateLoginProfile on resource: user student. Simulation gives explicit deny error, which is not the case according to these policies.
请参阅下面的代码account-id-without-hyphens 将其替换为您的帐号即可。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*LoginProfile",
"iam:*AccessKey *",
"iam:ChangePassword",
"iam:*SSHPublicKey *"
],
"Resource": "arn:aws:iam::account-id-without-hyphens:user/${aws:username}"
},
{
"Effect": "Allow",
"Action": [
"iam:ListAccount*",
"iam:GetAccountSummary",
"iam:GetAccountPasswordPolicy",
"iam:ListUsers"
],
"Resource": "*"
}
]
}