允许用户创建具有特定策略/角色的 IAM 用户的 AWS IAM 策略
我想创建一个策略,允许创建具有有限权限或与创建它们的用户具有相同权限的 IAM 用户.
I want to create a policy that allows for the creation of IAM users that have limited permissions or the same permissions as the user that created them.
基本上;我想允许一个用户创建另一个用户,但同时也明确指定一个用户可以向另一个用户提供哪些策略.
Basically; I want to allow a user to create another user, but to also specify exactly what policies one user is allowed to give to another user.
例如;
我创建了一个新用户:用户 A
I create a new user: User A
用户 A 仅具有创建具有(同等)有限权限的新用户的权限.
User A only has permissions to create new users with (equally) limited permissions.
用户 A 创建一个新用户:用户 B
User A create a new user: User B
用户 B 仅拥有与用户 A 相同的权限(或更少/不同的权限).
User B only has the same permissions as User A (or fewer/different permissions).
我想可能是在资源部分?例如
I thought maybe it was something in the resource section? Eg
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUsersToPerformUserActions",
"Effect": "Allow",
"Action": [
"iam:CreateUser",
],
"Resource": "<Some Specific Policy>"
},
]
}
您无需创建新用户,而是可以使用 GetSessionToken 命令来自 AWS 安全令牌服务.
Rather than creating a new user, you can use the GetSessionToken command from the AWS Security Token Service.
此命令允许任何用户创建临时凭证,其权限与他们拥有的权限相同,或者权限范围从他们自己的权限缩小.(它永远不会拥有比请求用户更多的权限.)
This command allows any user to create temporary credentials with the same permissions that they have, or with permissions scoped-down from their own permissions. (It will never have more permissions that the requesting user.)
临时凭证的有效期为15 分钟到 1 小时.
这些类型的凭据通常用于激活多因素身份验证会话或为不受信任的应用程序创建临时凭据.
These types of credentials are typically used to activate a multi-factor authentication session or to create temporary credentials for an untrusted application.