logo标签列表

AWS CodeCommit多因素认证。持续出现“fatal: unable to access .. The requested URL returned error: 403”错误提示。

amazon-web-servicesaws-codecommitmulti-factor-authentication
6

问题是什么?

我的IAM用户有两个策略:AdministratorAccessForceMultiFactorAuthentication。当附加了 ForceMultiFactorAuthentication 策略后,在Windows命令行中尝试对存储库执行任何操作(例如 git clone ..)时,会收到403错误。当我删除这个策略时,可以使用该存储库(例如 git clone 可以正常工作)。

我的问题

我的 ForceMultiFactorAuthentication 策略是否阻止 CodeCommit 工作?如何正确设置多因素身份验证的 CodeCommit ?

一般复现步骤

  1. 创建一个名为 "Admins" 的 IAM用户组,具有AdministratorAccess和 ForceMultiFactorAuthentication权限
  2. 创建一个非根IAM用户
  3. 将非根IAM用户添加到 "Admins" 组
  4. 以非根IAM用户身份登录,在安全凭据选项卡上设置MFA身份验证(扫描QR代码等),并为 AWS CodeCommit 创建 HTTPS Git 凭据
  5. 在CodeCommit中创建一个存储库
  6. 从命令行尝试本地克隆 git clone https://git-codecommit...
  7. 命令行返回 fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403
  8. 我的非根IAM用户从 "Admins" 组中删除了 ForceMultiFactorAuthentication 策略
  9. git clone .. 并且克隆存储库。 它可以工作。

不合理的原因是...

我的IAM用户具有 AdministratorAccess。此外,策略概述显示 CodeCommit 具有对所有资源的完全访问权限。

我的 ForceMultiFactorAuthentication 策略如下(与AWS提供的策略非常相似):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:ListVirtualMFADevices",
                "iam:ListUsers"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken",
                "iam:ListUsers"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
1个回答
11
您的ForceMultiFactorAuthentication策略中的以下部分会拒绝没有使用MFA进行身份验证的all请求(除了NotAction部分中提到的操作)。
{
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken",
                "iam:ListUsers"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }

使用 HTTPS GIT 凭据,您可以使用用户名和密码对 CodeCommit 存储库进行身份验证。没有使用会话令牌(基本上是 MFA 代码)。因此,无法验证 MFA 以进行身份验证。结果,您的请求被拒绝。相似的情况也适用于 CodeCommit 的 SSH 密钥对身份验证。

要解决此问题,您可以将所需的 codecommit 操作添加到策略的 NotAction 列表中。您还需要包括 kms 操作,因为 CodeCommit 存储库中的数据在传输和静止时都是加密的。因此,在从/到仓库执行克隆、拉取或推送活动时需要权限来执行加密和解密操作。

以下策略可解决 CodeCommit 403 错误。

{
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken",
                "iam:ListUsers",
                "codecommit:GitPull",
                "codecommit:GitPush",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:DescribeKey"

            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }

既然您已经将管理员访问策略附加到您的用户上,您就不需要 ForceMultiFactorAuthentication 策略的全部内容。上述策略已经足够。如果您想要为所有 IAM 用户(非管理员用户)启用多因素认证限制,请使用您策略的全部内容并将其附加到用户。

很高兴它能够正常工作。我从解决方案中删除了 kms:ReEncrypt。我相信上述策略已经足够了。请检查是否可以使用上述策略执行所有 Git 操作。如果您收到与 kms 相关的任何进一步错误,请尝试添加 kms:ReEncryptFromkms:ReEncryptFrom 并检查。 - Jyothish
1
我刚刚进行了测试。对于我的用例,拥有2个codecommit拉取/推送操作,kms:Encryptkms:Decrypt就足够了。其他的kms操作目前还没有影响到我,但如果我遇到问题,我将在未来尝试添加它们! - Jarad
网页内容由stack overflow 提供, 点击上面的
可以查看英文原文,
原文链接