有什么问题?
我的 IAM 用户有两个策略:管理员访问 and 强制多因素身份验证. When 强制多因素身份验证策略已附加,从 Windows 命令行,尝试对存储库执行任何操作时出现 403 错误(例如:git clone ..
)。当我删除策略时,我可以使用存储库(例如:git clone
works).
我的问题
有什么关于我的强制多因素身份验证阻止代码提交工作的策略?如何通过多重身份验证正确设置 CodeCommit?
一般休闲步骤
- 创建名为“Admins”的 IAM 用户组,并具有 AdministratorAccess 和 ForceMultiFactorAuthentication 权限
- 创建非根 IAM 用户
- 将非根 IAM 用户添加到“Admins”组
- 以非根 IAM 用户身份登录,在“安全凭证”选项卡上设置 MFA 身份验证(扫描 QR 码等),并为 AWS CodeCommit 创建 HTTPS Git 凭证
- 在 CodeCommit 中创建存储库
- 从命令行,尝试
git clone https://git-codecommit...
locally
- 命令行返回
fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403
- 我的非根 IAM 用户删除强制多因素身份验证来自“管理员”组的策略
-
git clone ..
它克隆了存储库。有用。
没有意义,因为...
我的 IAM 用户有管理员访问。另外,策略摘要显示 CodeCommit 拥有对所有资源的完全访问权限。
My 强制多因素身份验证政策如下(并且非常类似于AWS 提供的一个 https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws_my-sec-creds-self-manage.html):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowViewAccountInfo",
"Effect": "Allow",
"Action": [
"iam:GetAccountPasswordPolicy",
"iam:GetAccountSummary",
"iam:ListVirtualMFADevices",
"iam:ListUsers"
],
"Resource": "*"
},
{
"Sid": "AllowManageOwnPasswords",
"Effect": "Allow",
"Action": [
"iam:ChangePassword",
"iam:GetUser"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnAccessKeys",
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:ListAccessKeys",
"iam:UpdateAccessKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSigningCertificates",
"Effect": "Allow",
"Action": [
"iam:DeleteSigningCertificate",
"iam:ListSigningCertificates",
"iam:UpdateSigningCertificate",
"iam:UploadSigningCertificate"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnSSHPublicKeys",
"Effect": "Allow",
"Action": [
"iam:DeleteSSHPublicKey",
"iam:GetSSHPublicKey",
"iam:ListSSHPublicKeys",
"iam:UpdateSSHPublicKey",
"iam:UploadSSHPublicKey"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnGitCredentials",
"Effect": "Allow",
"Action": [
"iam:CreateServiceSpecificCredential",
"iam:DeleteServiceSpecificCredential",
"iam:ListServiceSpecificCredentials",
"iam:ResetServiceSpecificCredential",
"iam:UpdateServiceSpecificCredential"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "AllowManageOwnVirtualMFADevice",
"Effect": "Allow",
"Action": [
"iam:CreateVirtualMFADevice",
"iam:DeleteVirtualMFADevice"
],
"Resource": "arn:aws:iam::*:mfa/${aws:username}"
},
{
"Sid": "AllowManageOwnUserMFA",
"Effect": "Allow",
"Action": [
"iam:DeactivateMFADevice",
"iam:EnableMFADevice",
"iam:ListMFADevices",
"iam:ResyncMFADevice"
],
"Resource": "arn:aws:iam::*:user/${aws:username}"
},
{
"Sid": "DenyAllExceptListedIfNoMFA",
"Effect": "Deny",
"NotAction": [
"iam:CreateVirtualMFADevice",
"iam:EnableMFADevice",
"iam:GetUser",
"iam:ListMFADevices",
"iam:ListVirtualMFADevices",
"iam:ResyncMFADevice",
"sts:GetSessionToken",
"iam:ListUsers"
],
"Resource": "*",
"Condition": {
"BoolIfExists": {
"aws:MultiFactorAuthPresent": "false"
}
}
}
]
}