我有两个 AWS 账户,每个账户中有一个角色:帐户-A有角色A和帐户-B有角色B。
RoleA 将假定 RoleB 能够通过 连接到 Account-B 中的 EC2 实例ssm start-session
。
使用 RoleA,我可以承担 RoleB 并使用 aws cli 描述 Account-B 中的实例,但由于以下错误,我无法启动 ssm 会话:
An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::222222222222:assumed-role/RoleB/RoleB-SSM-test is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:us-east-1:222222222222:assumed-role/RoleB/RoleB-SSM-test-000000000000 because no identity-based policy allows the ssm:TerminateSession action
RoleA 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::222222222222:role/RoleB"
]
}
]
}
RoleB 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances",
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:us-east-1:222222222222:instance/i-123456abc789102de",
"arn:aws:ssm:us-east-1:222222222222:document/SSM-SessionManagerRunShell",
"arn:aws:ssm:us-east-1:222222222222:document/AWS-StartSSHSession"
]
},
{
"Sid":"",
"Effect":"Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ssm:resourceTag/aws:ssmmessages:session-id": [
"AROAXXXXXXXXXXXXX"
]
}
}
}
]
}
最初,ssm:TerminateSession
RoleB 策略中没有条件并且与其他操作一起进行,我进行了此更改以尝试解决此错误,但没有成功,错误消息相同。
我做错了什么?
答案1
您的 RoleB 策略缺少一些权限。根据文档,您需要kms:GenerateDataKey
加密会话数据,还需要访问 SSM 创建的文档。以下是文档中的示例策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:region:account-id:instance/instance-id",
"arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell"
],
"Condition": {
"BoolIfExists": {
"ssm:SessionDocumentAccessCheck": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:TerminateSession",
"ssm:ResumeSession"
],
"Resource": [
"arn:aws:ssm:*:*:session/${aws:username}-*"
]
},
{
"Effect": "Allow",
"Action": [
"kms:GenerateDataKey"
],
"Resource": "key-name"
}
]
}