本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 基于资源权限的示例策略
本部分介绍了一个使用案例,用于说明如何控制 Elastic Beanstalk 操作(访问特定 Elastic Beanstalk 资源)的用户权限。我们将介绍支持此使用案例的示例策略。有关 Elastic Beanstalk 资源的更多信息,请参阅[创建自定义用户策略](AWSHowTo.iam.managed-policies.md#AWSHowTo.iam.policies)。有关将策略附加到用户和组的信息,请转到《使用 Amazon Identity and Access Management》**中的[管理 IAM 策略](https://docs.amazonaws.cn/IAM/latest/UserGuide/ManagingPolicies.html)。
在使用案例中,Example Corp. 是一家为两类不同客户开发应用程序的小型咨询公司。John 是开发经理,负责监管 app1 和 app2 这两种 Elastic Beanstalk 应用程序的开发。John 会对这两种应用程序执行一些开发和测试工作,且只有他能为这两种应用程序更新生产环境。对于 app1 和 app2,他需要拥有以下权限:
+ 查看应用程序、应用程序版本、环境和配置模板
+ 创建应用程序版本并将它们部署到过渡环境
+ 更新生产环境
+ 创建和终止环境
Jill 是一名测试人员,为监控和测试这两种应用程序,她需要拥有以下资源的查看权限:应用程序、应用程序版本、环境和配置模板。但是,她不应具有更改任何 Elastic Beanstalk 资源的权限。
Jack 是 app1 的开发人员,需要拥有查看所有 app1 资源的权限,且还需要为 app1 创建应用程序版本并将应用程序版本部署到过渡环境。
Judy 是 Example Corp. Amazon 账户的管理员。她为 John、Jill 和 Jack 创建了 IAM 用户,并向这些用户附加了以下策略,以授予对 app1 和 app2 应用程序的相应权限。
## 示例 1:John – app1、app2 的开发经理
我们已将 John 的策略细分成三项独立策略,以便易于读取和管理它们。通过结合这些示例,可授予 John 对这两个应用程序执行开发、测试和部署操作所需的权限。
第一项策略指定了 Auto Scaling、Amazon S3、Amazon EC2、Amazon SNS CloudWatch、Elastic Load Balancing、Amazon RDS 和的操作。 Amazon CloudFormation在创建环境时,Elastic Beanstalk 依靠这些附加服务来配置底层资源。
请注意,此策略是一个示例。它为 Elastic Beanstalk 用来管理应用程序和环境 Amazon 的产品提供了广泛的权限。例如,`ec2:*`允许 IAM 用户对 Amazon 账户中的任何 Amazon EC2 资源执行任何操作。这些权限并不限于与 Elastic Beanstalk 配合使用的资源。作为最佳实践,您仅应向个人授予他们履行职责所需的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:*",
"ecs:*",
"ecr:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"cloudformation:*",
"dynamodb:*",
"rds:*",
"sqs:*",
"logs:*",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListRoles",
"iam:ListServerCertificates",
"acm:DescribeCertificate",
"acm:ListCertificates",
"codebuild:CreateProject",
"codebuild:DeleteProject",
"codebuild:BatchGetBuilds",
"codebuild:StartBuild"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::111122223333:role/MyRole"
}
]
}
```
------
第二项策略指定了 John 可以对 app1 和 app2 资源执行的 Elastic Beanstalk 操作。`AllCallsInApplications` 语句允许对 app1 和 app2 内的所有资源执行任何 Elastic Beanstalk 操作(`"elasticbeanstalk:*"`)(例如,`elasticbeanstalk:CreateEnvironment`)。`AllCallsOnApplications` 语句允许对 app1 和 app2 应用程序资源执行任何 Elastic Beanstalk 操作(`"elasticbeanstalk:*"`)(例如,`elasticbeanstalk:DescribeApplications`、`elasticbeanstalk:UpdateApplication` 等)。`AllCallsOnSolutionStacks` 语句允许对解决方案堆栈资源执行任何 Elastic Beanstalk 操作(`"elasticbeanstalk:*"`)(例如,`elasticbeanstalk:ListAvailableSolutionStacks`)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllCallsInApplications",
"Action":[
"elasticbeanstalk:*"
],
"Effect":"Allow",
"Resource":[
"*"
],
"Condition":{
"StringEquals":{
"elasticbeanstalk:InApplication":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1",
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app2"
]
}
}
},
{
"Sid":"AllCallsOnApplications",
"Action":[
"elasticbeanstalk:*"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1",
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app2"
]
},
{
"Sid":"AllCallsOnSolutionStacks",
"Action":[
"elasticbeanstalk:*"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2::solutionstack/*"
]
}
]
}
```
------
第三项策略指定了第二项策略需要获取 Elastic Beanstalk 操作权限才能完成的那些 Elastic Beanstalk 操作。`AllNonResourceCalls` 语句允许执行 `elasticbeanstalk:CheckDNSAvailability` 操作(即调用 `elasticbeanstalk:CreateEnvironment` 所需的操作)及其他操作。此语句还允许执行 `elasticbeanstalk:CreateStorageLocation` 操作(即 `elasticbeanstalk:CreateApplication`、`elasticbeanstalk:CreateEnvironment` 所需的操作)及其他操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllNonResourceCalls",
"Action":[
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation"
],
"Effect":"Allow",
"Resource":[
"*"
]
}
]
}
```
------
## 示例 2:Jill – app1、app2 的测试人员
我们已将 Jill 的策略细分成三项独立策略,以便易于读取和管理它们。通过结合这些示例,可授予 Jill 对这两种应用程序执行测试和监控操作所需的权限。
第一`Get*`项策略指定了 Auto Scaling `Describe*` `List*`、Amazon S3、Amazon EC2、Amazon SNS CloudWatch、Elastic Load Balancing、Amazon RDS 和 Amazon CloudFormation (对于非传统容器类型)和操作,这样 Elastic Beanstalk 操作就可以检索有关应用程序 1 和 app2 应用程序底层资源的相关信息。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:Describe*",
"elasticloadbalancing:Describe*",
"autoscaling:Describe*",
"cloudwatch:Describe*",
"cloudwatch:List*",
"cloudwatch:Get*",
"s3:Get*",
"s3:List*",
"sns:Get*",
"sns:List*",
"rds:Describe*",
"cloudformation:Describe*",
"cloudformation:Get*",
"cloudformation:List*",
"cloudformation:Validate*",
"cloudformation:Estimate*"
],
"Resource":"*"
}
]
}
```
------
第二项策略指定了 Jill 可以对 app1 和 app2 资源执行的 Elastic Beanstalk 操作。`AllReadCallsInApplications` 语句允许 Jill 调用 `Describe*` 操作和环境信息操作。`AllReadCallsOnApplications` 语句允许 Jill 对 app1 和 app2 应用程序资源调用 `DescribeApplications` 和 `DescribeEvents` 操作。`AllReadCallsOnSolutionStacks` 语句允许对解决方案堆栈资源的执行查看操作(`ListAvailableSolutionStacks`、`DescribeConfigurationOptions` 和 `ValidateConfigurationSettings`)。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllReadCallsInApplications",
"Action":[
"elasticbeanstalk:Describe*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo"
],
"Effect":"Allow",
"Resource":[
"*"
],
"Condition":{
"StringEquals":{
"elasticbeanstalk:InApplication":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1",
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app2"
]
}
}
},
{
"Sid":"AllReadCallsOnApplications",
"Action":[
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeEvents"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1",
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app2"
]
},
{
"Sid":"AllReadCallsOnSolutionStacks",
"Action":[
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2::solutionstack/*"
]
}
]
}
```
------
第三项策略指定了第二项策略需要获取 Elastic Beanstalk 操作权限才能完成的那些 Elastic Beanstalk 操作。`AllNonResourceCalls` 语句允许执行 `elasticbeanstalk:CheckDNSAvailability` 操作,这是一些查看操作所需要的操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllNonResourceCalls",
"Action":[
"elasticbeanstalk:CheckDNSAvailability"
],
"Effect":"Allow",
"Resource":[
"*"
]
}
]
}
```
------
## 示例 3:Jack – app1 的开发人员
我们已将 Jack 的策略细分成三项独立策略,以便易于读取和管理它们。通过结合这些示例,可授予 Jack 对 app1 资源执行测试、监控和部署操作所需的权限。
第一项策略指定了 Auto Scaling、Amazon S3、Amazon EC2 CloudWatch、Amazon SNS、Elastic Load Balancing、Amazon RDS 和 Amazon CloudFormation (对于非传统容器类型)上的操作,这样 Elastic Beanstalk 操作就可以查看和使用 app1 的底层资源。有关支持的非早期容器类型的列表,请参阅[为什么某些平台版本标记为传统版本?](using-features.migration.md#using-features.migration.why)
请注意,此策略是一个示例。它为 Elastic Beanstalk 用来管理应用程序和环境 Amazon 的产品提供了广泛的权限。例如,`ec2:*`允许 IAM 用户对 Amazon 账户中的任何 Amazon EC2 资源执行任何操作。这些权限并不限于与 Elastic Beanstalk 配合使用的资源。作为最佳实践,您仅应向个人授予他们履行职责所需的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":[
"ec2:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"s3:*",
"sns:*",
"rds:*",
"cloudformation:*"
],
"Resource":"*"
}
]
}
```
------
第二项策略指定了 Jack 可以对 app1 资源执行的 Elastic Beanstalk 操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllReadCallsAndAllVersionCallsInApplications",
"Action":[
"elasticbeanstalk:Describe*",
"elasticbeanstalk:RequestEnvironmentInfo",
"elasticbeanstalk:RetrieveEnvironmentInfo",
"elasticbeanstalk:CreateApplicationVersion",
"elasticbeanstalk:DeleteApplicationVersion",
"elasticbeanstalk:UpdateApplicationVersion"
],
"Effect":"Allow",
"Resource":[
"*"
],
"Condition":{
"StringEquals":{
"elasticbeanstalk:InApplication":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1"
]
}
}
},
{
"Sid":"AllReadCallsOnApplications",
"Action":[
"elasticbeanstalk:DescribeApplications",
"elasticbeanstalk:DescribeEvents"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1"
]
},
{
"Sid":"UpdateEnvironmentInApplications",
"Action":[
"elasticbeanstalk:UpdateEnvironment"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:environment/app1/app1-staging*"
],
"Condition":{
"StringEquals":{
"elasticbeanstalk:InApplication":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:application/app1"
]
},
"ArnLike":{
"elasticbeanstalk:FromApplicationVersion":[
"arn:aws:elasticbeanstalk:us-east-2:123456789012:applicationversion/app1/*"
]
}
}
},
{
"Sid":"AllReadCallsOnSolutionStacks",
"Action":[
"elasticbeanstalk:ListAvailableSolutionStacks",
"elasticbeanstalk:DescribeConfigurationOptions",
"elasticbeanstalk:ValidateConfigurationSettings"
],
"Effect":"Allow",
"Resource":[
"arn:aws:elasticbeanstalk:us-east-2::solutionstack/*"
]
}
]
}
```
------
第三项策略指定了第二项策略需要获取 Elastic Beanstalk 操作权限才能完成的那些 Elastic Beanstalk 操作。`AllNonResourceCalls` 语句允许执行 `elasticbeanstalk:CheckDNSAvailability` 操作(即调用 `elasticbeanstalk:CreateEnvironment` 所需的操作)及其他操作。此语句还允许执行 `elasticbeanstalk:CreateStorageLocation` 操作(即 `elasticbeanstalk:CreateEnvironment` 所需的操作)及其他操作。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"AllNonResourceCalls",
"Action":[
"elasticbeanstalk:CheckDNSAvailability",
"elasticbeanstalk:CreateStorageLocation"
],
"Effect":"Allow",
"Resource":[
"*"
]
}
]
}
```
------