AWS中国区IAM相关凭证自行管理策略（只读CodeCommit版）

目标

需要从CodeCommit读取代码。除了设置AWS托管策略：AWSCodeCommitReadOnly。还需要自定义策略，让用户能够自行管理IAM自己的相关凭证。

IAM自定义策略

{"Version": "2012-10-17","Statement": [{"Sid": "AllowViewAccountInfo","Effect": "Allow","Action": ["iam:GetAccountPasswordPolicy","iam:GetAccountSummary"],"Resource": "*"},{"Sid": "AllowManageOwnPasswords","Effect": "Allow","Action": ["iam:ChangePassword","iam:GetUser"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnAccessKeys","Effect": "Allow","Action": ["iam:CreateAccessKey","iam:DeleteAccessKey","iam:ListAccessKeys","iam:UpdateAccessKey","iam:GetAccessKeyLastUsed"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnSigningCertificates","Effect": "Allow","Action": ["iam:DeleteSigningCertificate","iam:ListSigningCertificates","iam:UpdateSigningCertificate","iam:UploadSigningCertificate"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnSSHPublicKeys","Effect": "Allow","Action": ["iam:DeleteSSHPublicKey","iam:GetSSHPublicKey","iam:ListSSHPublicKeys","iam:UpdateSSHPublicKey","iam:UploadSSHPublicKey"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnGitCredentials","Effect": "Allow","Action": ["iam:CreateServiceSpecificCredential","iam:DeleteServiceSpecificCredential","iam:ListServiceSpecificCredentials","iam:ResetServiceSpecificCredential","iam:UpdateServiceSpecificCredential"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"}]
}

总结

有了AWS托管策略：AWSCodeCommitReadOnly和自定义策略，就让用户对CodeCommit代码只读权限了。

参考

• AWS：允许 IAM 用户在“安全凭证”页面上管理自己的凭证