跨账户 SSM 会话:AccessDeniedException

tag-icon tag-icon amazon-ec2 amazon-iam aws-session-manager
跨账户 SSM 会话:AccessDeniedException

我有两个 AWS 账户,每个账户中有一个角色:帐户-A角色A帐户-B角色B

RoleA 将假定 RoleB 能够通过 连接到 Account-B 中的 EC2 实例ssm start-session

使用 RoleA,我可以承担 RoleB 并使用 aws cli 描述 Account-B 中的实例,但由于以下错误,我无法启动 ssm 会话:

An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::222222222222:assumed-role/RoleB/RoleB-SSM-test is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:us-east-1:222222222222:assumed-role/RoleB/RoleB-SSM-test-000000000000 because no identity-based policy allows the ssm:TerminateSession action

RoleA 策略:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Allow",
               "Action": [
                   "sts:AssumeRole"
               ],
               "Resource": [
                   "arn:aws:iam::222222222222:role/RoleB"
               ]
           }
       ]
   }

RoleB 策略:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Sid": "",
               "Effect": "Allow",
               "Action": [
                   "ssm:DescribeSessions",
                   "ssm:GetConnectionStatus",
                   "ssm:DescribeInstanceProperties",
                   "ec2:DescribeInstances",
                   "ssm:StartSession"
               ],
               "Resource": [
                   "arn:aws:ec2:us-east-1:222222222222:instance/i-123456abc789102de",
                   "arn:aws:ssm:us-east-1:222222222222:document/SSM-SessionManagerRunShell",
                   "arn:aws:ssm:us-east-1:222222222222:document/AWS-StartSSHSession"
               ]
           },
           {
               "Sid":"",
               "Effect":"Allow",
               "Action": [
                   "ssm:TerminateSession"
               ],
               "Resource": "*",
               "Condition": {
                   "StringLike": {
                       "ssm:resourceTag/aws:ssmmessages:session-id": [
                           "AROAXXXXXXXXXXXXX"
                       ]
                   }
               }
   
           }
       ]
   }

最初,ssm:TerminateSessionRoleB 策略中没有条件并且与其他操作一起进行,我进行了此更改以尝试解决此错误,但没有成功,错误消息相同。

我做错了什么?

答案1

您的 RoleB 策略缺少一些权限。根据文档,您需要kms:GenerateDataKey加密会话数据,还需要访问 SSM 创建的文档。以下是文档中的示例策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ssm:StartSession"
            ],
            "Resource": [
                "arn:aws:ec2:region:account-id:instance/instance-id",
                "arn:aws:ssm:region:account-id:document/SSM-SessionManagerRunShell" 
            ],
            "Condition": {
                "BoolIfExists": {
                    "ssm:SessionDocumentAccessCheck": "true" 
                }
            }
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeSessions",
                "ssm:GetConnectionStatus",
                "ssm:DescribeInstanceProperties",
                "ec2:DescribeInstances"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:TerminateSession",
                "ssm:ResumeSession"
            ],
            "Resource": [
                "arn:aws:ssm:*:*:session/${aws:username}-*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "kms:GenerateDataKey" 
            ],
            "Resource": "key-name"
        }
    ]
}

参考:https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html#restrict-access-quickstart-end-user

相关内容