Amazon Web Services 文档中描述的 Amazon Web Services 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅
中国的 Amazon Web Services 服务入门
(PDF)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
IAM Identity Center 基于身份的策略示例
本主题提供了 IAM 策略示例,您可以创建这些策略来授予用户和角色管理 IAM Identity Center 的权限。
本主题的各个部分涵盖以下内容:
自定义策略示例
本部分提供了需要自定义 IAM policy 的常见用例示例。这些示例策略是基于身份的策略,不指定主体元素。这是因为使用基于身份的策略时,您无需指定获得权限的主体。相反,您将策略附加到主体。向 IAM 角色附加基于身份的权限策略后,该角色的信任策略中标识的主体将获取权限。您可以在 IAM 中创建基于身份的策略并将其关联到用户、 and/or 群组和角色。当您在 IAM Identity Center 中创建权限集时,您还可以将这些策略应用于 IAM Identity Center 用户。
示例 1:允许用户查看 IAM Identity Center
以下权限策略向用户授予只读权限,以便他们可以查看 IAM Identity Center 中配置的所有设置和目录信息。
本策略仅供参考。在生产环境中,我们建议您使用 IAM Identity Center 的ViewOnlyAccess Amazon 托管策略。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"iam:ListPolicies",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListRoots",
"organizations:ListAccountsForParent",
"organizations:ListDelegatedAdministrators",
"organizations:ListOrganizationalUnitsForParent",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListPermissionSets",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso-directory:DescribeDirectory",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups"
],
"Resource": "*"
}
]
}
示例 2:允许用户 Amazon Web Services 账户 在 IAM 身份中心管理权限
以下权限策略授予允许用户为您的 Amazon Web Services 账户创建、管理和部署权限集的权限。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreateAccountAssignment",
"sso:CreatePermissionSet",
"sso:DeleteAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:ProvisionPermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:UpdatePermissionSet"
],
"Resource": "*"
},
{
"Sid": "IAMListPermissions",
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListPolicies"
],
"Resource": "*"
},
{
"Sid": "AccessToSSOProvisionedRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetSAMLProvider"
],
"Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
}
]
}
和” "Sid": "AccessToSSOProvisionedRoles" 部分下列出的"Sid": "IAMListPermissions"其他权限仅用于使用户能够在 Amazon Organizations 管理账户中创建任务。在某些情况下,您可能还需要添加 iam:UpdateSAMLProvider 到这些部分。
示例 3:允许用户管理 IAM Identity Center 中的应用程序
以下权限策略授予权限以允许用户查看和配置 IAM Identity Center 中的应用程序,包括 IAM Identity Center 目录中预集成的 SaaS 应用程序。
截至 2020 年 10 月,其中许多操作只能通过 Amazon
控制台进行。此示例策略包括“读取”操作,例如列表、获取和搜索,这些操作与本例中控制台的无错误操作相关。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AssociateProfile",
"sso:CreateApplicationInstance",
"sso:ImportApplicationInstanceServiceProviderMetadata",
"sso:DeleteApplicationInstance",
"sso:DeleteProfile",
"sso:DisassociateProfile",
"sso:GetApplicationTemplate",
"sso:UpdateApplicationInstanceServiceProviderConfiguration",
"sso:UpdateApplicationInstanceDisplayData",
"sso:DeleteManagedApplicationInstance",
"sso:UpdateApplicationInstanceStatus",
"sso:GetManagedApplicationInstance",
"sso:UpdateManagedApplicationInstanceStatus",
"sso:CreateManagedApplicationInstance",
"sso:UpdateApplicationInstanceSecurityConfiguration",
"sso:UpdateApplicationInstanceResponseConfiguration",
"sso:GetApplicationInstance",
"sso:CreateApplicationInstanceCertificate",
"sso:UpdateApplicationInstanceResponseSchemaConfiguration",
"sso:UpdateApplicationInstanceActiveCertificate",
"sso:DeleteApplicationInstanceCertificate",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationTemplates",
"sso:ListApplications",
"sso:ListApplicationInstances",
"sso:ListDirectoryAssociations",
"sso:ListProfiles",
"sso:ListProfileAssociations",
"sso:ListInstances",
"sso:GetProfile",
"sso:GetSSOStatus",
"sso:GetSsoConfiguration",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeUsers",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}
示例 4:允许用户管理 Identity Center 目录中的用户和组
以下权限策略授予权限以允许用户在 IAM Identity Center 中创建、查看、修改和删除用户和组。
在某些情况下,对 IAM Identity Center 中的用户和组的直接修改受到限制。例如,当选择 Active Directory 或启用了自动预置的外部身份提供商作为身份源时。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso-directory:ListGroupsForUser",
"sso-directory:DisableUser",
"sso-directory:EnableUser",
"sso-directory:SearchGroups",
"sso-directory:DeleteGroup",
"sso-directory:AddMemberToGroup",
"sso-directory:DescribeDirectory",
"sso-directory:UpdateUser",
"sso-directory:ListMembersInGroup",
"sso-directory:CreateUser",
"sso-directory:DescribeGroups",
"sso-directory:SearchUsers",
"sso:ListDirectoryAssociations",
"sso-directory:RemoveMemberFromGroup",
"sso-directory:DeleteUser",
"sso-directory:DescribeUsers",
"sso-directory:UpdateGroup",
"sso-directory:CreateGroup"
],
"Resource": "*"
}
]
}
使用 IAM Identity Center 控制台所需的权限
为了使用户能够正确使用 IAM Identity Center 控制台,需要额外的权限。如果创建的 IAM policy 比所需的最低权限更严格,则控制台将无法按使用该策略的用户的预期运行。以下示例列出了确保 IAM Identity Center 控制台中无错误操作可能需要的权限集。
- JSON
-
-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:DescribeAccountAssignmentCreationStatus",
"sso:DescribeAccountAssignmentDeletionStatus",
"sso:DescribePermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"sso:DescribePermissionsPolicies",
"sso:DescribeRegisteredRegions",
"sso:GetApplicationInstance",
"sso:GetApplicationTemplate",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetManagedApplicationInstance",
"sso:GetMfaDeviceManagementForDirectory",
"sso:GetPermissionSet",
"sso:GetPermissionsPolicy",
"sso:GetProfile",
"sso:GetSharedSsoConfiguration",
"sso:GetSsoConfiguration",
"sso:GetSSOStatus",
"sso:GetTrust",
"sso:ListAccountAssignmentCreationStatus",
"sso:ListAccountAssignmentDeletionStatus",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationInstances",
"sso:ListApplications",
"sso:ListApplicationTemplates",
"sso:ListDirectoryAssociations",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetProvisioningStatus",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListProfileAssociations",
"sso:ListProfiles",
"sso:ListTagsForResource",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeGroups",
"sso-directory:DescribeUsers",
"sso-directory:ListGroupsForUser",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}