为本地服务器创建角色以代入 AWS CodeDeploy
Creating a role for an on-premise server to assume for AWS CodeDeploy
我正在按照找到的教程 here 将本地服务器与 CodeDeploy 结合使用。我对前几个步骤有点困惑。当我为本地服务器创建角色时,我应该选择什么作为将使用该角色的服务(在控制台中)?我确实了解角色应该有什么策略,允许对所有资源执行 s3:Get 和 s3:List 操作。为了提供更多信息,我想使用 aws-codedeploy-session-helper 工具为我定期刷新会话凭证,此工具使用的 IAM 用户策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:ListAccessKeys",
"iam:ListUserPolicies",
"iam:PutUserPolicy",
"iam:GetUser",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"autoscaling:*",
"codedeploy:*",
"ec2:*",
"lambda:*",
"elasticloadbalancing:*",
"s3:*"
],
"Resource": "*"
}
]
}
您需要允许 on-premise 服务器调用 STS 承担角色 API,因此该服务应该 "STS"
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ACCOUNT-ID>:role/<ROLENAME>"
}
}
然后在 IAM 角色中,为服务器添加 "Trust" 策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT-ID>:user/<USER-NAME>"
},
"Action": "sts:AssumeRole"
}
]
}
我正在按照找到的教程 here 将本地服务器与 CodeDeploy 结合使用。我对前几个步骤有点困惑。当我为本地服务器创建角色时,我应该选择什么作为将使用该角色的服务(在控制台中)?我确实了解角色应该有什么策略,允许对所有资源执行 s3:Get 和 s3:List 操作。为了提供更多信息,我想使用 aws-codedeploy-session-helper 工具为我定期刷新会话凭证,此工具使用的 IAM 用户策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:ListAccessKeys",
"iam:ListUserPolicies",
"iam:PutUserPolicy",
"iam:GetUser",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"autoscaling:*",
"codedeploy:*",
"ec2:*",
"lambda:*",
"elasticloadbalancing:*",
"s3:*"
],
"Resource": "*"
}
]
}
您需要允许 on-premise 服务器调用 STS 承担角色 API,因此该服务应该 "STS"
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<ACCOUNT-ID>:role/<ROLENAME>"
}
}
然后在 IAM 角色中,为服务器添加 "Trust" 策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT-ID>:user/<USER-NAME>"
},
"Action": "sts:AssumeRole"
}
]
}