问题是什么?
我的IAM用户有两个策略:AdministratorAccess 和 ForceMultiFactorAuthentication。当附加了 ForceMultiFactorAuthentication 策略后,在Windows命令行中尝试对存储库执行任何操作(例如 git clone ..
)时,会收到403错误。当我删除这个策略时,可以使用该存储库(例如 git clone
可以正常工作)。
我的问题
我的 ForceMultiFactorAuthentication 策略是否阻止 CodeCommit 工作?如何正确设置多因素身份验证的 CodeCommit ?
一般复现步骤
- 创建一个名为 "Admins" 的 IAM用户组,具有AdministratorAccess和 ForceMultiFactorAuthentication权限
- 创建一个非根IAM用户
- 将非根IAM用户添加到 "Admins" 组
- 以非根IAM用户身份登录,在安全凭据选项卡上设置MFA身份验证(扫描QR代码等),并为 AWS CodeCommit 创建 HTTPS Git 凭据
- 在CodeCommit中创建一个存储库
- 从命令行尝试本地克隆
git clone https://git-codecommit...
- 命令行返回
fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403
- 我的非根IAM用户从 "Admins" 组中删除了 ForceMultiFactorAuthentication 策略
git clone ..
并且克隆存储库。 它可以工作。
不合理的原因是...
我的IAM用户具有 AdministratorAccess。此外,策略概述显示 CodeCommit 具有对所有资源的完全访问权限。
我的 ForceMultiFactorAuthentication 策略如下(与AWS提供的策略非常相似):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}
kms:ReEncrypt
。我相信上述策略已经足够了。请检查是否可以使用上述策略执行所有 Git 操作。如果您收到与kms
相关的任何进一步错误,请尝试添加kms:ReEncryptFrom
和kms:ReEncryptFrom
并检查。 - Jyothishkms:Encrypt
和kms:Decrypt
就足够了。其他的kms
操作目前还没有影响到我,但如果我遇到问题,我将在未来尝试添加它们! - Jarad