授予用户创建组织权限的 SLR 策略

Question

我希望拥有一个能够创建 IAM 组织的 IAM 用户，仅此而已。

为此，我需要创建一个使用 SLR 的策略。

我正在将策略附加到我的 IAM 所属的组。

如果我使用通用 SLR 权限策略，我可以创建一个包含任何用户的组织。

{
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "arn:aws:iam::*:role/aws-service-role/*"
}

当我指定我想要拥有这些权限的确切用户资源时，我不能再这样做了。

这是 aws 文档中提供的模板

{
   "Effect": "Allow",
   "Action": "iam:CreateServiceLinkedRole",
   "Resource": "arn:aws:iam::*:role/aws-service-role/SERVICE-NAME.amazonaws.com/SERVICE-LINKED-ROLE-NAME-PREFIX*",
   "Condition": {"StringLike": {"iam:AWSServiceName": "SERVICE-NAME.amazonaws.com"}}
},

这是我的

{
  "Effect": "Allow",
  "Action": "iam:CreateServiceLinkedRole",
  "Resource": "arn:aws:iam::000056397000:user/root_name:role/aws-service-role/organizations.amazonaws.com/*"
}

我得到的错误是：

An error occurred (AccessDeniedForDependencyException) when calling the CreateOrganization operation: The

request failed because your credentials do not have permission to create the service-linked role required 

by AWS Organizations.

我错过了什么？

Answer 1

我找到了解决办法。 不理想，也许有人有更好的主意。

包含 2 个策略的组

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/organizations.amazonaws.com/AWSServiceRoleForOrganizations*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "organizations.amazonaws.com"
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "organizations:CreateOrganization",
            "Resource": "*"
        }
    ]
}