本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
Amazon 的托管策略 Amazon Service Catalog AppRegistry
Amazon 托管策略:AWSServiceCatalogAdminFullAccess
您可以附加AWSServiceCatalogAdminFullAccess到您的 IAM 实体。 AppRegistry 还将此策略附加 AppRegistry 到允许代表您执行操作的服务角色。
此策略能授予管理权限,允许对管理员控制台视图进行完全访问,并授予创建和管理产品和产品组合的权限。
权限详细信息
该策略包含以下权限。
-
servicecatalog— 允许委托人拥有管理员控制台视图的全部权限,以及创建和管理产品组合和产品、管理限制、向最终用户授予访问权限以及在其中执行其他管理任务的能力。 Amazon Service Catalog -
cloudformation— 允许列出、读取、写入和标记 Amazon CloudFormation 堆栈的 Amazon Service Catalog 完全权限。 -
config— 允许通过 Amazon Config访问产品组合、产品和预配置产品的 Amazon Service Catalog 有限权限。 -
iam— 允许主体拥有查看和创建创建和管理产品和产品组合所需的服务用户、用户组或角色的全部权限。 -
ssm— Amazon Service Catalog Amazon Systems Manager 允许使用列出和阅读当前 Amazon 账户和 Amazon 区域中的 Systems Manager 文档。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:SetStackPolicy", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:DeleteChangeSet", "cloudformation:ListStackResources", "cloudformation:TagResource", "cloudformation:CreateStackSet", "cloudformation:CreateStackInstances", "cloudformation:UpdateStackSet", "cloudformation:UpdateStackInstances", "cloudformation:DeleteStackSet", "cloudformation:DeleteStackInstances", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackSetOperation", "cloudformation:ListStackInstances", "cloudformation:ListStackSetOperations", "cloudformation:ListStackSetOperationResults" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/SC-*", "arn:aws:cloudformation:*:*:stack/StackSet-SC-*", "arn:aws:cloudformation:*:*:changeSet/SC-*", "arn:aws:cloudformation:*:*:stackset/SC-*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:CreateUploadBucket", "cloudformation:GetTemplateSummary", "cloudformation:ValidateTemplate", "iam:GetGroup", "iam:GetRole", "iam:GetUser", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers", "servicecatalog:Get*", "servicecatalog:Scan*", "servicecatalog:Search*", "servicecatalog:List*", "servicecatalog:TagResource", "servicecatalog:UntagResource", "servicecatalog:SyncResource", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "ssm:ListDocuments", "ssm:ListDocumentVersions", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:Accept*", "servicecatalog:Associate*", "servicecatalog:Batch*", "servicecatalog:Copy*", "servicecatalog:Create*", "servicecatalog:Delete*", "servicecatalog:Describe*", "servicecatalog:Disable*", "servicecatalog:Disassociate*", "servicecatalog:Enable*", "servicecatalog:Execute*", "servicecatalog:Import*", "servicecatalog:Provision*", "servicecatalog:Put*", "servicecatalog:Reject*", "servicecatalog:Terminate*", "servicecatalog:Update*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "iam:PassRole", "Resource": "*", "Condition": { "StringEquals": { "iam:PassedToService": "servicecatalog.amazonaws.com" } } }, { "Effect": "Allow", "Action": "iam:CreateServiceLinkedRole", "Resource": "arn:aws:iam::*:role/aws-service-role/orgsdatasync.servicecatalog.amazonaws.com/AWSServiceRoleForServiceCatalogOrgsDataSync", "Condition": { "StringEquals": { "iam:AWSServiceName": "orgsdatasync.servicecatalog.amazonaws.com" } } }
Amazon 托管策略:AWSServiceCatalogAdminReadOnlyAccess
您可以附加AWSServiceCatalogAdminReadOnlyAccess到您的 IAM 实体。 AppRegistry 还将此策略附加 AppRegistry 到允许代表您执行操作的服务角色。
此策略授予允许完全访问管理员控制台视图的只读权限。此策略不授予创建或管理产品和产品组合的访问权限。
权限详细信息
该策略包含以下权限。
-
servicecatalog— 允许主体拥有管理员控制台视图的只读权限。 -
cloudformation— 允许列出和读取 Amazon CloudFormation 堆栈的 Amazon Service Catalog 有限权限。 -
config— 允许通过 Amazon Config访问产品组合、产品和预配置产品的 Amazon Service Catalog 有限权限。 -
iam— 允许主体查看创建和管理产品和产品组合所需的服务用户、组或角色的有限权限。 -
ssm— Amazon Service Catalog Amazon Systems Manager 允许使用列出和阅读当前 Amazon 账户和 Amazon 区域中的 Systems Manager 文档。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:DescribeChangeSet", "cloudformation:ListChangeSets", "cloudformation:ListStackResources", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackSetOperation", "cloudformation:ListStackInstances", "cloudformation:ListStackSetOperations", "cloudformation:ListStackSetOperationResults" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/SC-*", "arn:aws:cloudformation:*:*:stack/StackSet-SC-*", "arn:aws:cloudformation:*:*:changeSet/SC-*", "arn:aws:cloudformation:*:*:stackset/SC-*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "iam:GetGroup", "iam:GetRole", "iam:GetUser", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers", "servicecatalog:Get*", "servicecatalog:List*", "servicecatalog:Describe*", "servicecatalog:ScanProvisionedProducts", "servicecatalog:Search*", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "ssm:ListDocuments", "ssm:ListDocumentVersions", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus" ], "Resource": "*" } ] }
Amazon 托管策略:AWSServiceCatalogEndUserFullAccess
您可以附加AWSServiceCatalogEndUserFullAccess到您的 IAM 实体。 AppRegistry 还将此策略附加 AppRegistry 到允许代表您执行操作的服务角色。
此策略授予参与者权限,允许他们完全访问最终用户控制台视图,并授予启动产品和管理预配置产品的权限。
权限详细信息
该策略包含以下权限。
-
servicecatalog– 允许主体对最终用户控制台视图的完全权限以及启动产品和管理预配置产品的权限。 -
cloudformation— 允许列出、读取、写入和标记 Amazon CloudFormation 堆栈的 Amazon Service Catalog 完全权限。 -
config— 允许 Amazon Service Catalog 有限权限通过 Amazon Config列出和阅读有关产品组合、产品和预配置产品的详细信息。 -
ssm— Amazon Service Catalog 允许使用读 Amazon Systems Manager 取当前 Amazon 账户和 Amazon 区域中的 Systems Manager 文档。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:SetStackPolicy", "cloudformation:ValidateTemplate", "cloudformation:UpdateStack", "cloudformation:CreateChangeSet", "cloudformation:DescribeChangeSet", "cloudformation:ExecuteChangeSet", "cloudformation:ListChangeSets", "cloudformation:DeleteChangeSet", "cloudformation:TagResource", "cloudformation:CreateStackSet", "cloudformation:CreateStackInstances", "cloudformation:UpdateStackSet", "cloudformation:UpdateStackInstances", "cloudformation:DeleteStackSet", "cloudformation:DeleteStackInstances", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackSetOperation", "cloudformation:ListStackInstances", "cloudformation:ListStackResources", "cloudformation:ListStackSetOperations", "cloudformation:ListStackSetOperationResults" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/SC-*", "arn:aws:cloudformation:*:*:stack/StackSet-SC-*", "arn:aws:cloudformation:*:*:changeSet/SC-*", "arn:aws:cloudformation:*:*:stackset/SC-*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ListLaunchPaths", "servicecatalog:ProvisionProduct", "servicecatalog:SearchProducts", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:DescribeProvisionedProduct", "servicecatalog:DescribeRecord", "servicecatalog:ListRecordHistory", "servicecatalog:ListStackInstancesForProvisionedProduct", "servicecatalog:ScanProvisionedProducts", "servicecatalog:TerminateProvisionedProduct", "servicecatalog:UpdateProvisionedProduct", "servicecatalog:SearchProvisionedProducts", "servicecatalog:CreateProvisionedProductPlan", "servicecatalog:DescribeProvisionedProductPlan", "servicecatalog:ExecuteProvisionedProductPlan", "servicecatalog:DeleteProvisionedProductPlan", "servicecatalog:ListProvisionedProductPlans", "servicecatalog:ListServiceActionsForProvisioningArtifact", "servicecatalog:ExecuteProvisionedProductServiceAction", "servicecatalog:DescribeServiceActionExecutionParameters" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } } ] }
Amazon 托管策略:AWSServiceCatalogEndUserReadOnlyAccess
您可以附加AWSServiceCatalogEndUserReadOnlyAccess到您的 IAM 实体。 AppRegistry 还将此策略附加 AppRegistry 到允许代表您执行操作的服务角色。
此策略授予允许只读访问最终用户控制台视图的只读权限。此策略不授予启动产品或管理预配置产品的权限。
权限详细信息
该策略包含以下权限。
-
servicecatalog— 允许主体拥有访问最终用户控制台视图的只读权限。 -
cloudformation— 允许列出和读取 Amazon CloudFormation 堆栈的 Amazon Service Catalog 有限权限。 -
config— 允许 Amazon Service Catalog 有限权限通过 Amazon Config列出和阅读有关产品组合、产品和预配置产品的详细信息。 -
ssm— Amazon Service Catalog 允许使用读 Amazon Systems Manager 取当前 Amazon 账户和 Amazon 区域中的 Systems Manager 文档。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:DescribeChangeSet", "cloudformation:ListChangeSets", "cloudformation:DescribeStackSet", "cloudformation:DescribeStackInstance", "cloudformation:DescribeStackSetOperation", "cloudformation:ListStackInstances", "cloudformation:ListStackResources", "cloudformation:ListStackSetOperations", "cloudformation:ListStackSetOperationResults" ], "Resource": [ "arn:aws:cloudformation:*:*:stack/SC-*", "arn:aws:cloudformation:*:*:stack/StackSet-SC-*", "arn:aws:cloudformation:*:*:changeSet/SC-*", "arn:aws:cloudformation:*:*:stackset/SC-*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:GetTemplateSummary", "servicecatalog:DescribeProduct", "servicecatalog:DescribeProductView", "servicecatalog:DescribeProvisioningParameters", "servicecatalog:ListLaunchPaths", "servicecatalog:SearchProducts", "ssm:DescribeDocument", "ssm:GetAutomationExecution", "config:DescribeConfigurationRecorders", "config:DescribeConfigurationRecorderStatus" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicecatalog:DescribeProvisionedProduct", "servicecatalog:DescribeRecord", "servicecatalog:ListRecordHistory", "servicecatalog:ListStackInstancesForProvisionedProduct", "servicecatalog:ScanProvisionedProducts", "servicecatalog:SearchProvisionedProducts", "servicecatalog:DescribeProvisionedProductPlan", "servicecatalog:ListProvisionedProductPlans", "servicecatalog:ListServiceActionsForProvisioningArtifact", "servicecatalog:DescribeServiceActionExecutionParameters" ], "Resource": "*", "Condition": { "StringEquals": { "servicecatalog:userLevel": "self" } } } ] }
Amazon 托管策略:AWSServiceCatalogSyncServiceRolePolicy
Amazon Service Catalog 将此策略附加到AWSServiceRoleForServiceCatalogSync服务相关角色 (SLR),允许 Amazon Service Catalog 将外部存储库中的模板同步到 Amazon Service Catalog 产品。
此策略授予的权限允许对 Amazon Service Catalog 操作(例如,API 调用)和其他 Amazon Service Catalog 依赖的 Amazon 服务操作进行有限的访问。
该策略包含以下权限。
-
servicecatalog— 允许 Amazon Service Catalog 工件同步角色有限地访问 Amazon Service Catalog 公共 API。 -
codestar-connections— 允许 Amazon Service Catalog 工件同步角色有限地访问CodeConnections 公共 API。 -
cloudformation— 允许 Amazon Service Catalog 工件同步角色有限地访问 Amazon CloudFormation 公共 API。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ArtifactSynctoServiceCatalog", "Effect": "Allow", "Action": [ "servicecatalog:ListProvisioningArtifacts", "servicecatalog:DescribeProductAsAdmin", "servicecatalog:DeleteProvisioningArtifact", "servicecatalog:ListServiceActionsForProvisioningArtifact", "servicecatalog:CreateProvisioningArtifact", "servicecatalog:UpdateProvisioningArtifact" ], "Resource": "*" }, { "Sid": "AccessArtifactRepositories", "Effect": "Allow", "Action": [ "codestar-connections:UseConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*" }, { "Sid": "ValidateTemplate", "Effect": "Allow", "Action": [ "cloudformation:ValidateTemplate" ], "Resource": "*" } ] }
Amazon Service Catalog 将上述权限详细信息用于在用户创建或更新使用的 Amazon Service Catalog CodeConnections产品时创建的AWSServiceRoleForServiceCatalogSync服务相关角色。您可以使用 Amazon CLI、 Amazon API 或通过 Amazon Service Catalog 控制台修改此策略。有关如何创建、编辑和删除服务相关角色的更多信息,请参阅为 Amazon Service Catalog使用服务相关角色 (SLR)。
AWSServiceRoleForServiceCatalogSync服务相关角色中包含的权限 Amazon Service Catalog 允许代表客户执行以下操作。
-
servicecatalog:ListProvisioningArtifacts— 允许 Amazon Service Catalog 工件同步角色列出同步到存储库中模板文件的给定 Amazon Service Catalog 产品的配置工件。 -
servicecatalog:DescribeProductAsAdmin— 允许 Amazon Service Catalog 工件同步角色使用DescribeProductAsAdminAPI 获取 Amazon Service Catalog 产品及其关联的预配置工件的详细信息,这些工件已同步到存储库中的模板文件。构件同步角色使用此调用的输出来验证产品对预配置构件的服务限额限制。 -
servicecatalog:DeleteProvisioningArtifact— 允许 Amazon Service Catalog 工件同步角色删除已置备的对象。 -
servicecatalog:ListServiceActionsForProvisioningArtifact— 允许 Amazon Service Catalog 对象同步角色确定服务操作是否与置备对象相关联,并确保在关联服务操作时不会删除置备对象。 -
servicecatalog:DescribeProvisioningArtifact— 允许 Amazon Service Catalog 工件同步角色从DescribeProvisioningArtifactAPI 中检索详细信息,包括SourceRevisionInfo输出中提供的提交 ID。 -
servicecatalog:CreateProvisioningArtifact— 如果检测到外部存储库中的源模板文件发生了更改(例如,已提交 git-push),则允许工 Amazon Service Catalog 件同步角色创建新的预配置工件。 -
servicecatalog:UpdateProvisioningArtifact— 允许 Amazon Service Catalog 工件同步角色更新已连接或已同步产品的已配置对象。 -
codestar-connections:UseConnection— 允许 Amazon Service Catalog 工件同步角色使用现有连接来更新和同步产品。 -
cloudformation:ValidateTemplate— 允许 Amazon Service Catalog 对象同步角色的有限访问权限 Amazon CloudFormation 来验证外部存储库中使用的模板的模板格式,并验证是否 Amazon CloudFormation 可以支持该模板。
Amazon 托管策略:AWSServiceCatalogOrgsDataSyncServiceRolePolicy
Amazon Service Catalog 将此策略附加到AWSServiceRoleForServiceCatalogOrgsDataSync服务相关角色 (SLR), Amazon Service Catalog 允许与同步。 Amazon Organizations
此策略授予的权限允许对 Amazon Service Catalog 操作(例如,API 调用)和其他 Amazon Service Catalog 依赖的 Amazon 服务操作进行有限的访问。
该策略包含以下权限。
-
organizations— 允许 Amazon Service Catalog 数据同步角色有限地访问 Amazon Organizations 公共 API。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "OrganizationsDataSyncToServiceCatalog", "Effect": "Allow", "Action": [ "organizations:DescribeAccount", "organizations:DescribeOrganization", "organizations:ListAccounts", "organizations:ListChildren", "organizations:ListParents", "organizations:ListAWSServiceAccessForOrganization" ], "Resource": "*" } ] }
Amazon Service Catalog 将上述权限详细信息用于在用户启用 Amazon Organizations 共享产品组合访问权限或创建投资组合共享时创建的AWSServiceRoleForServiceCatalogOrgsDataSync服务相关角色。您可以使用 Amazon CLI、 Amazon API 或通过 Amazon Service Catalog 控制台修改此策略。有关如何创建、编辑和删除服务相关角色的更多信息,请参阅为 Amazon Service Catalog使用服务相关角色 (SLR)。
AWSServiceRoleForServiceCatalogOrgsDataSync服务相关角色中包含的权限 Amazon Service Catalog 允许代表客户执行以下操作。
-
organizations:DescribeAccount— 允许 Org Amazon Service Catalog anizations Data Sync 角色检索有关指定账户的 Amazon Organizations相关信息。 -
organizations:DescribeOrganization— 允许 Organizations Data Sync 角色检索有关用户帐户所属组织的信息。 Amazon Service Catalog -
organizations:ListAccounts— 允许 Organizations Data Sync 角色列出用户组织中的帐户。 Amazon Service Catalog -
organizations:ListChildren— 允许 Or Amazon Service Catalog ganizations Data Sync 角色列出包含在指定父组织单位或根目录中的所有组织单位 (UO) 或帐户。 -
organizations:ListParents— 允许 Organizations Data Sync 角色列出作为指定子 Amazon Service Catalog 组织单位或账户直系父级的一个或多个根组织单位。 -
organizations:ListAWSServiceAccessForOrganization— 允许 Amazon Service Catalog Organizations Data Sync 角色检索用户允许与其组织集成的 Amazon 服务列表。
已弃用的策略
以下托管策略已弃用:
-
ServiceCatalogAdminFullAccess— AWSServiceCatalogAdminFullAccess改用。
-
ServiceCatalogAdminReadOnlyAccess— AWSServiceCatalogAdminReadOnlyAccess改用。
-
ServiceCatalogEndUserFullAccess— AWSServiceCatalogEndUserFullAccess改用。
-
ServiceCatalogEndUserAccess— AWSServiceCatalogEndUserReadOnlyAccess改用。
使用以下过程可确保管理员和最终用户获得使用当前策略的权限。
要从已弃用的策略迁移到当前策略,请参阅《Amazon Identity and Access Management 用户指南》中的添加和删除 IAM 身份权限。
AppRegistry Amazon 托管策略的更新
查看 AppRegistry 自该服务开始跟踪这些更改以来 Amazon 托管策略更新的详细信息。要获得有关此页面变更的自动提醒,请订阅 “ AppRegistry 文档历史记录” 页面上的 RSS feed。
| 更改 | 描述 | 日期 |
|---|---|---|
|
AWSServiceCatalogAdminFullAccess— 更新托管策略 |
Amazon Service Catalog 更新了 |
2023 年 4 月 14 日 |
|
Amazon Service Catalog 添加了 |
2023 年 4 月 14 日 | |
|
AWSServiceCatalogAdminFullAccess— 更新托管策略 |
Amazon Service Catalog 更新了 |
2023 年 1 月 12 日 |
|
Amazon Service Catalog 添加了附加到 |
2022 年 11 月 18 日 | |
|
AWSServiceRoleForServiceCatalogSync— 新的服务相关角色 |
Amazon Service Catalog 添加了 |
2022 年 11 月 18 日 |
|
AWSServiceCatalogAdminFullAccess— 更新了托管策略 |
Amazon Service Catalog 更新了 |
2022 年 9 月 30 日 |
|
AppRegistry 已开始跟踪更改 |
AppRegistry 开始跟踪其 Amazon 托管策略的更改。 |
2022 年 9 月 15 日 |