AWS SSM:aws:domainJoin 所需的权限?

【问题标题】:AWS SSM: permissions required for aws:domainJoin?AWS SSM:aws:domainJoin 所需的权限?
【发布时间】:2020-04-12 05:40:14
【问题描述】:

我正在尝试设置 EC2 角色以允许实例使用 New-SSMAssociation powershell cmdlet 加入域。有谁知道完成此操作所需的最低权限是多少?

我在这里阅读了https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-dx-domain/ 的文章,但为了支持 AmazonSSMManagedInstanceCore 策略而弃用了 AmazonEC2RoleforSSM,但是当将该策略与 AmazonSSMDirectoryServiceAccess 策略结合使用时,我收到一个错误: 新 SSMAssociation :用户:arn:aws:sts:::assumed-role/MyEC2Role/ 不是 授权执行:ssm:CreateAssociation 资源: arn:aws:ec2:us-east-1::instance/

我能够让它工作的唯一方法是使用ssm:*,但如果可能的话,我不希望这样做。我使用的组合策略是(没有ssm:*):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:CreateAssociation"
            ],
            "Resource": "arn:aws:ssm:<region>:<account-id>:document/JoinDomain"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ds:CreateComputer",
                "ds:DescribeDirectories"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeAssociation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:DescribeDocument",
                "ssm:GetManifest",
                "ssm:GetParameters",
                "ssm:ListAssociations",
                "ssm:ListInstanceAssociations",
                "ssm:PutInventory",
                "ssm:PutComplianceItems",
                "ssm:PutConfigurePackageResult",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        }
    ]
}

【问题讨论】:

    标签: amazon-web-services amazon-systems-manager


    【解决方案1】:

    适用于我们环境的方法。
    创建一个具有

    的 IAM 角色 
    "Statement": [
        {
            "Sid": "SSMDocument",
            "Effect": "Allow",
            "Action": [
                "ssm:CreateAssociation"
            ],
            "Resource": [
                "arn:aws:ec2:${AWS_REGION}:${AWS_ACCOUNT}:instance/*",
                "arn:aws:ssm:${AWS_REGION}:${AWS_ACCOUNT}:document/${SSM_DOCUMENT_NAME}"
            ]
        }
    ]

    加上预定义的策略AmazonSSMDirectoryServiceAccessAmazonSSMManagedInstanceCore

    用户数据如下:

    <powershell>
[Environment]::SetEnvironmentVariable("ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE", "true", "Machine")
[Environment]::SetEnvironmentVariable("ECS_ENABLE_CONTAINER_METADATA", "true", "Machine")
Import-Module ECSTools
Initialize-ECSAgent -Cluster '${ECS_CLUSTER_NAME}' -EnableTaskIAMRole
Set-DefaultAWSRegion -Region ${AWS_REGION}
Set-Variable -name instance_id -value (Invoke-Restmethod -uri http://169.254.169.254/latest/meta-data/instance-id)
New-SSMAssociation -Name "${SSM_DOCUMENT_NAME}"  -Target @{Key="instanceids";Values=@($instance_id)}
</powershell>

    SSM 文档的 terraform 代码片段

    data "aws_directory_service_directory" "domain_controller" {
  directory_id = var.directory_id
}
data "template_file" "userdata" {
  template = file("${path.module}/files/userdata.ps1")
  vars = {
    SSM_DOCUMENT_NAME = aws_ssm_document.ad_join_domain.name
    AWS_REGION        = var.region
    ECS_CLUSTER_NAME  = local.cluster_name
  }
}

resource "aws_ssm_document" "ad_join_domain" {
  name          = "${var.environment}-ad-join-domain"
  document_type = "Command"
  content = jsonencode(
    {
      "schemaVersion" = "2.2"
      "description"   = "join aws directory services domain"
      "mainSteps" = [
        {
          "action" = "aws:domainJoin",
          "name"   = "domainJoin",
          "inputs" = {
            "directoryId" : data.aws_directory_service_directory.domain_controller.id,
            "directoryName" : data.aws_directory_service_directory.domain_controller.name
            "dnsIpAddresses" : sort(data.aws_directory_service_directory.domain_controller.dns_ip_addresses)
          }
        }
      ]
    }
  )
  tags = {
    environment = var.environment
  }
}

    【讨论】:

      猜你喜欢
      • 2018-07-31
      • 2020-07-08
      • 2022-12-15
      • 2021-04-12
      • 2020-11-27
      • 2011-01-28
      • 1970-01-01
      • 1970-01-01
      • 1970-01-01
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode