我有两个 AWS 账户,每个账户中有一个角色:Account-A有RoleA和Account-B有RoleB。
RoleA 将假定 RoleB 能够通过 连接到 Account-B 中的 EC2 实例ssm start-session。
使用 RoleA,我能够承担 RoleB 并使用 aws cli 描述 Account-B 中的实例,但由于以下错误,我无法启动 ssm 会话:
An error occurred (AccessDeniedException) when calling the TerminateSession operation: User: arn:aws:sts::222222222222:assumed-role/RoleB/RoleB-SSM-test is not authorized to perform: ssm:TerminateSession on resource: arn:aws:ssm:us-east-1:222222222222:assumed-role/RoleB/RoleB-SSM-test-000000000000 because no identity-based policy allows the ssm:TerminateSession action
RoleA策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::222222222222:role/RoleB"
]
}
]
}
角色B政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": [
"ssm:DescribeSessions",
"ssm:GetConnectionStatus",
"ssm:DescribeInstanceProperties",
"ec2:DescribeInstances",
"ssm:StartSession"
],
"Resource": [
"arn:aws:ec2:us-east-1:222222222222:instance/i-123456abc789102de",
"arn:aws:ssm:us-east-1:222222222222:document/SSM-SessionManagerRunShell",
"arn:aws:ssm:us-east-1:222222222222:document/AWS-StartSSHSession"
]
},
{
"Sid":"",
"Effect":"Allow",
"Action": [
"ssm:TerminateSession"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ssm:resourceTag/aws:ssmmessages:session-id": [
"AROAXXXXXXXXXXXXX"
]
}
}
}
]
}
最初,ssm:TerminateSessionin RoleB 策略没有条件并且与其他操作并存,我进行了此更改以尝试解决此错误,但没有成功,出现相同的错误消息。
我做错了什么?
您的 RoleB 策略缺少某些权限。根据文档,您需要
kms:GenerateDataKey加密会话数据,还需要访问 SSM 生成的文档。以下是文档中的示例策略:参考: https: //docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-quickstart.html#restrict-access-quickstart-end-user