AWS中国区IAM相关凭证自行管理策略(只读CodeCommit版)
目标
需要从CodeCommit读取代码。除了设置AWS托管策略:AWSCodeCommitReadOnly。还需要自定义策略,让用户能够自行管理IAM自己的相关凭证。
IAM自定义策略
{"Version": "2012-10-17","Statement": [{"Sid": "AllowViewAccountInfo","Effect": "Allow","Action": ["iam:GetAccountPasswordPolicy","iam:GetAccountSummary"],"Resource": "*"},{"Sid": "AllowManageOwnPasswords","Effect": "Allow","Action": ["iam:ChangePassword","iam:GetUser"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnAccessKeys","Effect": "Allow","Action": ["iam:CreateAccessKey","iam:DeleteAccessKey","iam:ListAccessKeys","iam:UpdateAccessKey","iam:GetAccessKeyLastUsed"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnSigningCertificates","Effect": "Allow","Action": ["iam:DeleteSigningCertificate","iam:ListSigningCertificates","iam:UpdateSigningCertificate","iam:UploadSigningCertificate"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnSSHPublicKeys","Effect": "Allow","Action": ["iam:DeleteSSHPublicKey","iam:GetSSHPublicKey","iam:ListSSHPublicKeys","iam:UpdateSSHPublicKey","iam:UploadSSHPublicKey"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"},{"Sid": "AllowManageOwnGitCredentials","Effect": "Allow","Action": ["iam:CreateServiceSpecificCredential","iam:DeleteServiceSpecificCredential","iam:ListServiceSpecificCredentials","iam:ResetServiceSpecificCredential","iam:UpdateServiceSpecificCredential"],"Resource": "arn:aws-cn:iam::*:user/${aws:username}"}]
}
总结
有了AWS托管策略:AWSCodeCommitReadOnly和自定义策略,就让用户对CodeCommit代码只读权限了。
参考
- AWS:允许 IAM 用户在“安全凭证”页面上管理自己的凭证