AWS CodeCommit With Multi-factor Authentication. Keep getting fatal: unable to access .. The requested URL returned error: 403
AWS CodeCommit With Multi-factor Authentication. Keep getting fatal: unable to access .. The requested URL returned error: 403
有什么问题?
我的 IAM 用户有两个策略:AdministratorAccess 和 ForceMultiFactorAuthentication。当附加 ForceMultiFactorAuthentication 策略时,从 Windows 命令行,我在尝试对存储库执行任何操作时收到 403 错误(例如:git clone ..)。当我删除策略时,我可以使用存储库(例如:git clone 有效)。
我的问题
我的 ForceMultiFactorAuthentication 政策是否有什么东西阻止了 codecommit 的工作?如何使用多重身份验证正确设置 CodeCommit?
一般娱乐步骤
- 创建一个名为“Admins”并具有 AdministratorAccess 和 ForceMultiFactorAuthentication 权限的 IAM 用户组
- 创建非根 IAM 用户
- 将非根 IAM 用户添加到“管理员”组
- 以非根 IAM 用户身份登录,在“安全凭证”选项卡上,设置 MFA 身份验证(扫描二维码等),并为 AWS CodeCommit
创建 HTTPS Git 凭证
- 在 CodeCommit 中创建一个存储库
- 从命令行,在本地尝试
git clone https://git-codecommit...
- 命令行 returns
fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403
- 我的非根 IAM 用户从“管理员”组
中删除了ForceMultiFactorAuthentication策略
git clone .. 并克隆回购协议。有效。
没有意义,因为...
我的 IAM 用户拥有 AdministratorAccess。此外,政策摘要显示 CodeCommit 拥有对所有资源的完全访问权限。
我的 ForceMultiFactorAuthentication 策略如下(与 AWS-provided one 非常相似):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
您的 ForceMultiFactorAuthentication 策略中的以下部分拒绝 all 未使用 MFA 进行身份验证的请求(NotAction 部分中提到的操作除外)
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
使用 HTTPS GIT credentials,您将使用用户名和密码对 CodeCommit 存储库进行身份验证。没有使用会话令牌(基本上是 MFA 代码)。因此无法验证 MFA 以进行身份验证。因此,您的请求被拒绝。 CodeCommit 的 SSH 密钥对身份验证也是如此。
要解决此问题,您可以在策略的 NotAction 列表中添加所需的 codecommit 操作。您还需要包括 kms 操作。因为 CodeCommit 存储库中的数据在传输过程中和静态时都经过加密。因此,在执行克隆、拉取或推送活动时,加密和解密操作需要权限 from/to repos.
以下策略修复了您的 CodeCommit 403 错误。
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers",
"codecommit:GitPull",
"codecommit:GitPush",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
由于您已经将管理员访问策略附加到您的用户,因此您不需要 ForceMultiFactorAuthentication 策略的全部内容。上面的政策就够了。如果您想为所有 IAM 用户(非管理员用户)启用 MFA 限制,请使用您的策略的全部内容将其附加到用户。
有什么问题?
我的 IAM 用户有两个策略:AdministratorAccess 和 ForceMultiFactorAuthentication。当附加 ForceMultiFactorAuthentication 策略时,从 Windows 命令行,我在尝试对存储库执行任何操作时收到 403 错误(例如:git clone ..)。当我删除策略时,我可以使用存储库(例如:git clone 有效)。
我的问题
我的 ForceMultiFactorAuthentication 政策是否有什么东西阻止了 codecommit 的工作?如何使用多重身份验证正确设置 CodeCommit?
一般娱乐步骤
- 创建一个名为“Admins”并具有 AdministratorAccess 和 ForceMultiFactorAuthentication 权限的 IAM 用户组
- 创建非根 IAM 用户
- 将非根 IAM 用户添加到“管理员”组
- 以非根 IAM 用户身份登录,在“安全凭证”选项卡上,设置 MFA 身份验证(扫描二维码等),并为 AWS CodeCommit 创建 HTTPS Git 凭证
- 在 CodeCommit 中创建一个存储库
- 从命令行,在本地尝试
git clone https://git-codecommit... - 命令行 returns
fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403 - 我的非根 IAM 用户从“管理员”组 中删除了ForceMultiFactorAuthentication策略
git clone ..并克隆回购协议。有效。
没有意义,因为...
我的 IAM 用户拥有 AdministratorAccess。此外,政策摘要显示 CodeCommit 拥有对所有资源的完全访问权限。
我的 ForceMultiFactorAuthentication 策略如下(与 AWS-provided one 非常相似):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
您的 ForceMultiFactorAuthentication 策略中的以下部分拒绝 all 未使用 MFA 进行身份验证的请求(NotAction 部分中提到的操作除外)
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
使用 HTTPS GIT credentials,您将使用用户名和密码对 CodeCommit 存储库进行身份验证。没有使用会话令牌(基本上是 MFA 代码)。因此无法验证 MFA 以进行身份验证。因此,您的请求被拒绝。 CodeCommit 的 SSH 密钥对身份验证也是如此。
要解决此问题,您可以在策略的 NotAction 列表中添加所需的 codecommit 操作。您还需要包括 kms 操作。因为 CodeCommit 存储库中的数据在传输过程中和静态时都经过加密。因此,在执行克隆、拉取或推送活动时,加密和解密操作需要权限 from/to repos.
以下策略修复了您的 CodeCommit 403 错误。
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers",
"codecommit:GitPull",
"codecommit:GitPush",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlaintext",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
由于您已经将管理员访问策略附加到您的用户,因此您不需要 ForceMultiFactorAuthentication 策略的全部内容。上面的政策就够了。如果您想为所有 IAM 用户(非管理员用户)启用 MFA 限制,请使用您的策略的全部内容将其附加到用户。