AWS中国区IAM相关凭证自行管理策略(只读CodeCommit版) - 指南

目标

应该从CodeCommit读取代码。除了设置AWS托管策略:AWSCodeCommitReadOnly。还需要自定义策略,让用户能够自行管理IAM自己的相关凭证。

IAM自定义策略

{
"Version": "2012-10-17"
,
"Statement": [
{
"Sid": "AllowViewAccountInfo"
,
"Effect": "Allow"
,
"Action": [
"iam:GetAccountPasswordPolicy"
,
"iam:GetAccountSummary"
]
,
"Resource": "*"
}
,
{
"Sid": "AllowManageOwnPasswords"
,
"Effect": "Allow"
,
"Action": [
"iam:ChangePassword"
,
"iam:GetUser"
]
,
"Resource": "arn:aws-cn:iam::*:user/${aws:username}"
}
,
{
"Sid": "AllowManageOwnAccessKeys"
,
"Effect": "Allow"
,
"Action": [
"iam:CreateAccessKey"
,
"iam:DeleteAccessKey"
,
"iam:ListAccessKeys"
,
"iam:UpdateAccessKey"
,
"iam:GetAccessKeyLastUsed"
]
,
"Resource": "arn:aws-cn:iam::*:user/${aws:username}"
}
,
{
"Sid": "AllowManageOwnSigningCertificates"
,
"Effect": "Allow"
,
"Action": [
"iam:DeleteSigningCertificate"
,
"iam:ListSigningCertificates"
,
"iam:UpdateSigningCertificate"
,
"iam:UploadSigningCertificate"
]
,
"Resource": "arn:aws-cn:iam::*:user/${aws:username}"
}
,
{
"Sid": "AllowManageOwnSSHPublicKeys"
,
"Effect": "Allow"
,
"Action": [
"iam:DeleteSSHPublicKey"
,
"iam:GetSSHPublicKey"
,
"iam:ListSSHPublicKeys"
,
"iam:UpdateSSHPublicKey"
,
"iam:UploadSSHPublicKey"
]
,
"Resource": "arn:aws-cn:iam::*:user/${aws:username}"
}
,
{
"Sid": "AllowManageOwnGitCredentials"
,
"Effect": "Allow"
,
"Action": [
"iam:CreateServiceSpecificCredential"
,
"iam:DeleteServiceSpecificCredential"
,
"iam:ListServiceSpecificCredentials"
,
"iam:ResetServiceSpecificCredential"
,
"iam:UpdateServiceSpecificCredential"
]
,
"Resource": "arn:aws-cn:iam::*:user/${aws:username}"
}
]
}

总结

有了AWS托管策略:AWSCodeCommitReadOnly和自定义策略,就让用户对CodeCommit代码只读权限了。

参考

posted @ 2025-07-19 21:54  yjbjingcha  阅读(12)  评论(0)    收藏  举报