如何在json IAM策略中添加注解?

1qczuiv0  于 2023-10-21  发布在  其他
关注(0)|答案(4)|浏览(105)

IAM政策是复杂的野兽。这将是很好的添加一个评论时,制作它们。比如说,

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "Stmt1422979261000",
      "Effect": "Allow",
      "Action": [
        "route53:ListHostedZones",
      ],
      "Comment": "Foo"
      # or Bar
      "Resource": [
        "*"
      ]
    }
  ]
}

这两个都不管用。是否存在向这些策略添加注解的方法?

lsmepo6l

lsmepo6l1#

Hyper Anthony的answer在严格意义上的“注解”是正确的-然而,在大多数情况下,您至少可以使用Sid作为伪注解来传达意图或任何约束等:
Sid(语句ID)是您为策略语句提供的可选标识符**。可以为语句数组中的每个语句分配Sid值。在允许您指定ID元素的服务(如SQS和SNS)中,Sid值只是策略文档ID的子ID。在IAM中,Sid值在策略中必须是唯一的。[强调我的]
这是例如例如在AWS博客文章Demystifying EC2 Resource-Level Permissions中使用TheseActionsSupportResourceLevelPermissions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "TheseActionsSupportResourceLevelPermissions",
            "Effect": "Allow",
            "Action": [
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:StopInstances",
                "ec2:StartInstances"
            ],
            "Resource": "arn:aws:ec2:us-east-1:accountid:instance/*"
        }
    ]
}
  • 正如在Sid中提到的,有些服务 * 可能需要这个元素,并且对它有唯一性要求 *,但是我还没有遇到过由此产生的命名约束。
wb1gzix0

wb1gzix02#

不。一般来说,你描述的评论是are not allowed in JSON。要有效地创建注解,您需要允许一个描述注解的新元素。由于AWS是这个json对象的主人,他们将负责允许这一点。
目前,only allow the following elements

  • 版本
  • ID
  • 声明
  • Sid
  • 效果
  • 主要
  • 非主要
  • 行动
  • NotAction
  • 资源
  • NotResource
  • 条件
2ul0zpep

2ul0zpep3#

JSON不支持注解。但是我们可以添加'Sid:'作为注解,以便将多个服务策略分类到一个策略中。下面我正在上传Ec2,S3,Lambda,ElasticBeanStalk服务的单个JSON策略。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EC2FullAccess",
            "Action": "ec2:*",
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "elasticloadbalancing:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "cloudwatch:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "autoscaling:*",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": [
                        "autoscaling.amazonaws.com",
                        "ec2scheduled.amazonaws.com",
                        "elasticloadbalancing.amazonaws.com",
                        "spot.amazonaws.com",
                        "spotfleet.amazonaws.com",
                        "transitgateway.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Sid": "S3FullAccess",
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "LambdaFullAccess",
            "Effect": "Allow",
            "Action": [
                "cloudformation:DescribeStacks",
                "cloudformation:ListStackResources",
                "cloudwatch:ListMetrics",
                "cloudwatch:GetMetricData",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "kms:ListAliases",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "lambda:*",
                "logs:DescribeLogGroups",
                "states:DescribeStateMachine",
                "states:ListStateMachines",
                "tag:GetResources",
                "xray:GetTraceSummaries",
                "xray:BatchGetTraces"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": "lambda.amazonaws.com"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:DescribeLogStreams",
                "logs:GetLogEvents",
                "logs:FilterLogEvents"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/lambda/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "acm:Describe*",
                "acm:List*",
                "autoscaling:Describe*",
                "cloudformation:Describe*",
                "cloudformation:Estimate*",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:Validate*",
                "cloudtrail:LookupEvents",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "codecommit:Get*",
                "codecommit:UploadArchive",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AuthorizeSecurityGroup*",
                "ec2:CreateLaunchTemplate*",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteLaunchTemplate*",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteTags",
                "ec2:Describe*",
                "ec2:DisassociateAddress",
                "ec2:ReleaseAddress",
                "ec2:RevokeSecurityGroup*",
                "ecs:CreateCluster",
                "ecs:DeRegisterTaskDefinition",
                "ecs:Describe*",
                "ecs:List*",
                "ecs:RegisterTaskDefinition",
                "elasticbeanstalk:*",
                "elasticloadbalancing:Describe*",
                "iam:GetRole",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfiles",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:ListServerCertificates",
                "logs:Describe*",
                "rds:Describe*",
                "s3:ListAllMyBuckets",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "sqs:ListQueues"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:*"
            ],
            "Resource": [
                "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/awseb-e-*",
                "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/eb-*",
                "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/awseb-e-*",
                "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/eb-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudformation:CancelUpdateStack",
                "cloudformation:ContinueUpdateRollback",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:GetTemplate",
                "cloudformation:ListStackResources",
                "cloudformation:SignalResource",
                "cloudformation:TagResource",
                "cloudformation:UntagResource",
                "cloudformation:UpdateStack"
            ],
            "Resource": [
                "arn:aws:cloudformation:*:*:stack/awseb-*",
                "arn:aws:cloudformation:*:*:stack/eb-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "cloudwatch:DeleteAlarms",
                "cloudwatch:PutMetricAlarm"
            ],
            "Resource": [
                "arn:aws:cloudwatch:*:*:alarm:awseb-*",
                "arn:aws:cloudwatch:*:*:alarm:eb-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "codebuild:BatchGetBuilds",
                "codebuild:CreateProject",
                "codebuild:DeleteProject",
                "codebuild:StartBuild"
            ],
            "Resource": "arn:aws:codebuild:*:*:project/Elastic-Beanstalk-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "dynamodb:CreateTable",
                "dynamodb:DeleteTable",
                "dynamodb:DescribeTable",
                "dynamodb:TagResource"
            ],
            "Resource": [
                "arn:aws:dynamodb:*:*:table/awseb-e-*",
                "arn:aws:dynamodb:*:*:table/eb-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2:RebootInstances",
                "ec2:TerminateInstances"
            ],
            "Resource": "arn:aws:ec2:*:*:instance/*",
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/aws:cloudformation:stack-id": [
                        "arn:aws:cloudformation:*:*:stack/awseb-e-*",
                        "arn:aws:cloudformation:*:*:stack/eb-*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "ec2:RunInstances",
            "Resource": "*",
            "Condition": {
                "ArnLike": {
                    "ec2:LaunchTemplate": "arn:aws:ec2:*:*:launch-template/*"
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ecs:DeleteCluster"
            ],
            "Resource": "arn:aws:ecs:*:*:cluster/awseb-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*Rule",
                "elasticloadbalancing:*Tags",
                "elasticloadbalancing:SetRulePriorities",
                "elasticloadbalancing:SetSecurityGroups"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:targetgroup/awseb-*",
                "arn:aws:elasticloadbalancing:*:*:targetgroup/eb-*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/awseb-*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/eb-*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/*/awseb-*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/*/eb-*/*",
                "arn:aws:elasticloadbalancing:*:*:listener/awseb-*",
                "arn:aws:elasticloadbalancing:*:*:listener/eb-*",
                "arn:aws:elasticloadbalancing:*:*:listener/*/awseb-*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener/*/eb-*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/awseb-*/*/*/*",
                "arn:aws:elasticloadbalancing:*:*:listener-rule/app/eb-*/*/*/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:CreateRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-elasticbeanstalk*",
                "arn:aws:iam::*:instance-profile/aws-elasticbeanstalk*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/aws-elasticbeanstalk*",
            "Condition": {
                "StringLike": {
                    "iam:PolicyArn": [
                        "arn:aws:iam::aws:policy/AWSElasticBeanstalk*",
                        "arn:aws:iam::aws:policy/service-role/AWSElasticBeanstalk*"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/*",
            "Condition": {
                "StringEquals": {
                    "iam:PassedToService": [
                        "elasticbeanstalk.amazonaws.com",
                        "ec2.amazonaws.com",
                        "ec2.amazonaws.com.cn",
                        "autoscaling.amazonaws.com",
                        "elasticloadbalancing.amazonaws.com",
                        "ecs.amazonaws.com",
                        "cloudformation.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceLinkedRole"
            ],
            "Resource": [
                "arn:aws:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling*",
                "arn:aws:iam::*:role/aws-service-role/elasticbeanstalk.amazonaws.com/AWSServiceRoleForElasticBeanstalk*",
                "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing*",
                "arn:aws:iam::*:role/aws-service-role/managedupdates.elasticbeanstalk.amazonaws.com/AWSServiceRoleForElasticBeanstalk*",
                "arn:aws:iam::*:role/aws-service-role/maintenance.elasticbeanstalk.amazonaws.com/AWSServiceRoleForElasticBeanstalk*"
            ],
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": [
                        "autoscaling.amazonaws.com",
                        "elasticbeanstalk.amazonaws.com",
                        "elasticloadbalancing.amazonaws.com",
                        "managedupdates.elasticbeanstalk.amazonaws.com",
                        "maintenance.elasticbeanstalk.amazonaws.com"
                    ]
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "logs:CreateLogGroup",
                "logs:DeleteLogGroup",
                "logs:PutRetentionPolicy"
            ],
            "Resource": "arn:aws:logs:*:*:log-group:/aws/elasticbeanstalk/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "rds:*DBSubnetGroup",
                "rds:AuthorizeDBSecurityGroupIngress",
                "rds:CreateDBInstance",
                "rds:CreateDBSecurityGroup",
                "rds:DeleteDBInstance",
                "rds:DeleteDBSecurityGroup",
                "rds:ModifyDBInstance",
                "rds:RestoreDBInstanceFromDBSnapshot"
            ],
            "Resource": [
                "arn:aws:rds:*:*:db:*",
                "arn:aws:rds:*:*:secgrp:awseb-e-*",
                "arn:aws:rds:*:*:secgrp:eb-*",
                "arn:aws:rds:*:*:snapshot:*",
                "arn:aws:rds:*:*:subgrp:awseb-e-*",
                "arn:aws:rds:*:*:subgrp:eb-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:Delete*",
                "s3:Get*",
                "s3:Put*"
            ],
            "Resource": "arn:aws:s3:::elasticbeanstalk-*/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:CreateBucket",
                "s3:GetBucket*",
                "s3:ListBucket",
                "s3:PutBucketPolicy"
            ],
            "Resource": "arn:aws:s3:::elasticbeanstalk-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sns:CreateTopic",
                "sns:DeleteTopic",
                "sns:GetTopicAttributes",
                "sns:Publish",
                "sns:SetTopicAttributes",
                "sns:Subscribe",
                "sns:Unsubscribe"
            ],
            "Resource": "arn:aws:sns:*:*:ElasticBeanstalkNotifications-*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "sqs:*QueueAttributes",
                "sqs:CreateQueue",
                "sqs:DeleteQueue",
                "sqs:SendMessage",
                "sqs:TagQueue"
            ],
            "Resource": [
                "arn:aws:sqs:*:*:awseb-e-*",
                "arn:aws:sqs:*:*:eb-*"
            ]
        }
    ]
}
7y4bm7vi

7y4bm7vi4#

虽然Sid是解决缺乏评论能力的一个很好的解决方案,但使用标签也是另一种尚未提到的方法。另外,另一种方法是完全停止使用JSON。详情如下...

使用标签

当在AWS中创建策略时,you can add tags to that policy将允许您在键值对中插入用户生成的注解。

停止使用JSON

理想情况下,您的策略声明不应该存储在AWS中,因为您无法在那里获得源代码跟踪。在将代码部署到AWS之前,应始终使用Github或CodeCommit等工具来存储代码。AWS不应该是您应用程序的真实来源,而是使用CloudformationCDK、Terraform、AWS CLI等部署策略的地方。在这些情况下,您的策略文档可以存储为YAML(或其他语言)而不是JSON。例如,如果使用Typescript + CDK,则可以在代码中添加注解。或者如果你使用Cloudformation,使用支持注解的YAML。如果您使用AWS CLI,请在使用json之前使用YAML转换器工具。我相信这是对最初问题的最理想的回答,因为AWS等云环境几乎从未被设计为轻松跟踪随时间推移对部署代码的更改。例如,AWS IAM策略can only have 5 versions之前,您必须删除一个才能插入新版本的策略。

相关问题