控制对维护时段的访问权限 (AWS CLI)
以下过程介绍如何使用 AWS CLI 创建维护时段所需的角色和权限。
任务 1:(可选)为 维护时段 (AWS CLI) 创建自定义服务角色
重要
A custom service role is not required if you choose to use a Systems Manager service-linked role to let maintenance windows run tasks on your behalf instead. If you do not have a Systems Manager service-linked role in your account, you can create it when you create or update a maintenance window task using the Systems Manager console. For more information, see the following topics:
-
将以下信任策略复制并粘贴到文本文件中。使用以下名称和文件扩展名保存此文件:
mw-role-trust-policy.json。注意
仅当打算使用 Amazon SNS 发送与通过 SendCommand API 或 AWS CLI 中的
send-command运行的维护时段任务相关的通知时,才需要"sns.amazonaws.com"。{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Principal":{ "Service":[ "ssm.amazonaws.com", "sns.amazonaws.com" ] }, "Action":"sts:AssumeRole" } ] } -
打开 AWS CLI 并在放置
mw-role-trust-policy.json的目录中运行以下命令,创建一个名为mw-task-role的维护时段角色。此命令将上一步中创建的策略分配给该角色:aws iam create-role --role-name mw-task-role --assume-role-policy-document file://mw-role-trust-policy.json系统将返回类似于以下内容的信息:
{ "Role":{ "AssumeRolePolicyDocument":{ "Version":"2012-10-17", "Statement":[ { "Action":"sts:AssumeRole", "Effect":"Allow", "Principal":{ "Service":[ "ssm.amazonaws.com", "ec2.amazonaws.com", "sns.amazonaws.com" ] } } ] }, "RoleId":"AROAIIZKPBKS2LEXAMPLE", "CreateDate":"2017-04-04T03:40:17.373Z", "RoleName":"mw-task-role", "Path":"/", "Arn":"arn:aws:iam::123456789012:role/mw-task-role" } }注意
记录
RoleName和Arn。您在创建维护时段指定这些信息。 -
运行以下命令,将
AmazonSSMMaintenanceWindowRole管理的策略附加到在步骤 2 中创建的角色:aws iam attach-role-policy --role-name mw-task-role --policy-arn arn:aws:iam::aws:policy/service-role/AmazonSSMMaintenanceWindowRole
任务 2:将 IAM PassRole 策略分配到 IAM 用户或组
When you register a task with a maintenance window, you specify either a custom service role or a Systems Manager service-linked role to run the actual task operations. This is the role that the service assumes when it runs tasks on your behalf. Before that, to register the task itself, you must assign the IAM PassRole policy to an IAM user account or an IAM group. This allows the IAM user or IAM group to specify, as part of registering those tasks with the maintenance window, the role that should be used when running tasks. For information, see Granting a User Permissions to Pass a Role to an AWS Service in the IAM User Guide.
将 IAM PassRole 策略分配给 IAM 用户账户或组 (AWS CLI)
-
将以下 IAM 策略复制并粘贴到文本编辑器中,然后使用以下名称和文件扩展名保存:
mw-passrole-policy.json。{ "Version":"2012-10-17", "Statement":[ { "Sid":"Stmt1491345526000", "Effect":"Allow", "Action":[ "iam:GetRole", "iam:PassRole", "ssm:RegisterTaskWithMaintenanceWindow" ], "Resource":[ "*" ] } ] } -
打开 AWS CLI。
-
根据您是要将权限分配到 IAM 用户还是组,运行以下命令之一。
-
对于 IAM 用户:
aws iam put-user-policy --user-nameuser-name--policy-name "policy-name" --policy-documentpath-to-document对于
user-name,请指定将向维护时段分配任务的 IAM 用户。对于policy-name,指定要用于标识策略的名称。对于path-to-document,请指定步骤 1 中保存文件的路径。例如:file://C:\Temp\mw-passrole-policy.json注意
如果您计划使用 AWS Systems Manager 控制台注册维护时段的任务,则还必须将
AmazonSSMFullAccess策略分配给您的用户账户。运行以下命令将此策略分配给您的账户:aws iam attach-user-policy --policy-arn arn:aws:iam::aws:policy/AmazonSSMFullAccess --user-nameuser-name -
对于 IAM 组:
aws iam put-group-policy --group-namegroup-name--policy-name "policy-name" --policy-documentpath-to-document对于
group-name,指定其成员将向维护时段分配任务的 IAM 组。对于policy-name,指定要用于标识策略的名称。对于path-to-document,请指定步骤 1 中保存文件的路径。例如:file://C:\Temp\mw-passrole-policy.json注意
如果您计划使用 AWS Systems Manager 控制台注册维护时段的任务,则还必须将
AmazonSSMFullAccess策略分配给您的组。运行以下命令将此策略分配给您的组:aws iam attach-group-policy --policy-arn arn:aws:iam::aws:policy/AmazonSSMFullAccess --group-namegroup-name
-
-
运行以下命令验证策略是否已分配给该组:
aws iam list-group-policies --group-namegroup-name