本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# IAM Identity Center 基于身份的策略示例
本主题提供了 IAM 策略示例,您可以创建这些策略来授予用户和角色管理 IAM Identity Center 的权限。
**重要**
我们建议您首先阅读以下介绍性主题,这些主题讲解了管理 IAM Identity Center 资源访问的基本概念和选项。有关更多信息,请参阅 [管理 IAM Identity Center 资源的访问权限概述](iam-auth-access-overview.md)。
本主题的各个部分涵盖以下内容:
+ [自定义策略示例](#policyexample)
+ [使用 IAM Identity Center 控制台所需的权限](#requiredpermissionsconsole)
## 自定义策略示例
本部分提供了需要自定义 IAM policy 的常见用例示例。这些示例策略是基于身份的策略,不指定主体元素。这是因为使用基于身份的策略时,您无需指定获得权限的主体。相反,您将策略附加到主体。向 IAM 角色附加基于身份的权限策略后,该角色的信任策略中标识的主体将获取权限。您可以在 IAM 中创建基于身份的策略并将其附加到用户、 and/or 群组和角色。当您在 IAM Identity Center 中创建权限集时,您还可以将这些策略应用于 IAM Identity Center 用户。
**注意**
在为您的环境创建策略时使用这些示例,并确保在生产环境中部署这些策略之前测试正面(“授予访问”)和负面(“拒绝访问”)测试用例。有关测试 IAM 策略的更多信息,请参阅 *IAM 用户指南*中的[使用 IAM policy simulator 测试 IAM 策略](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies)。
**Topics**
+ [示例 1:允许用户查看 IAM Identity Center](#policyexamplesetupenable)
+ [示例 2:允许用户 AWS 账户 在 IAM 身份中心管理权限](#policyexamplemanageconnecteddirectory)
+ [示例 3:允许用户管理 IAM Identity Center 中的应用程序](#policyexamplemanageapplication)
+ [示例 4:允许用户管理 Identity Center 目录中的用户和组](#policyexamplemanageusersgroups)
### 示例 1:允许用户查看 IAM Identity Center
以下权限策略向用户授予只读权限,以便他们可以查看 IAM Identity Center 中配置的所有设置和目录信息。
**注意**
本策略仅供参考。在生产环境中,我们建议您使用 IAM Identity Center 的`ViewOnlyAccess` AWS 托管策略。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ds:DescribeDirectories",
"ds:DescribeTrusts",
"iam:ListPolicies",
"organizations:DescribeOrganization",
"organizations:DescribeAccount",
"organizations:ListParents",
"organizations:ListChildren",
"organizations:ListAccounts",
"organizations:ListRoots",
"organizations:ListAccountsForParent",
"organizations:ListDelegatedAdministrators",
"organizations:ListOrganizationalUnitsForParent",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListPermissionSets",
"sso:DescribePermissionSet",
"sso:GetInlinePolicyForPermissionSet",
"sso-directory:DescribeDirectory",
"sso-directory:SearchUsers",
"sso-directory:SearchGroups"
],
"Resource": "*"
}
]
}
```
------
### 示例 2:允许用户 AWS 账户 在 IAM 身份中心管理权限
以下权限策略授予允许用户为您的 AWS 账户创建、管理和部署权限集的权限。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreateAccountAssignment",
"sso:CreatePermissionSet",
"sso:DeleteAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:ProvisionPermissionSet",
"sso:PutInlinePolicyToPermissionSet",
"sso:UpdatePermissionSet"
],
"Resource": "*"
},
{
"Sid": "IAMListPermissions",
"Effect": "Allow",
"Action": [
"iam:ListRoles",
"iam:ListPolicies"
],
"Resource": "*"
},
{
"Sid": "AccessToSSOProvisionedRoles",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:PutRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription"
],
"Resource": "arn:aws:iam::*:role/aws-reserved/sso.amazonaws.com/*"
},
{
"Effect": "Allow",
"Action": [
"iam:GetSAMLProvider"
],
"Resource": "arn:aws:iam::*:saml-provider/AWSSSO_*_DO_NOT_DELETE"
}
]
}
```
------
**注意**
和” `"Sid": "AccessToSSOProvisionedRoles"` 部分下列出的`"Sid": "IAMListPermissions"`其他权限仅用于使用户能够在 AWS Organizations 管理账户中创建任务。在某些情况下,您可能还需要添加 `iam:UpdateSAMLProvider` 到这些部分。
### 示例 3:允许用户管理 IAM Identity Center 中的应用程序
以下权限策略授予权限以允许用户查看和配置 IAM Identity Center 中的应用程序,包括 IAM Identity Center 目录中预集成的 SaaS 应用程序。
**注意**
管理应用程序的用户和组分配需要以下策略示例中使用的 `sso:AssociateProfile` 操作。它还允许用户使用现有权限集向 AWS 账户 其分配用户和组。如果用户必须在 IAM Identity Center 中管理 AWS 账户 访问权限,并且需要管理权限集所需的权限,请参阅[示例 2:允许用户 AWS 账户 在 IAM 身份中心管理权限](#policyexamplemanageconnecteddirectory)。
截至 2020 年 10 月,其中许多操作只能通过 AWS 控制台进行。此示例策略包括“读取”操作,例如列表、获取和搜索,这些操作与本例中控制台的无错误操作相关。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:AssociateProfile",
"sso:CreateApplicationInstance",
"sso:ImportApplicationInstanceServiceProviderMetadata",
"sso:DeleteApplicationInstance",
"sso:DeleteProfile",
"sso:DisassociateProfile",
"sso:GetApplicationTemplate",
"sso:UpdateApplicationInstanceServiceProviderConfiguration",
"sso:UpdateApplicationInstanceDisplayData",
"sso:DeleteManagedApplicationInstance",
"sso:UpdateApplicationInstanceStatus",
"sso:GetManagedApplicationInstance",
"sso:UpdateManagedApplicationInstanceStatus",
"sso:CreateManagedApplicationInstance",
"sso:UpdateApplicationInstanceSecurityConfiguration",
"sso:UpdateApplicationInstanceResponseConfiguration",
"sso:GetApplicationInstance",
"sso:CreateApplicationInstanceCertificate",
"sso:UpdateApplicationInstanceResponseSchemaConfiguration",
"sso:UpdateApplicationInstanceActiveCertificate",
"sso:DeleteApplicationInstanceCertificate",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationTemplates",
"sso:ListApplications",
"sso:ListApplicationInstances",
"sso:ListDirectoryAssociations",
"sso:ListProfiles",
"sso:ListProfileAssociations",
"sso:ListInstances",
"sso:GetProfile",
"sso:GetSSOStatus",
"sso:GetSsoConfiguration",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeUsers",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}
```
------
### 示例 4:允许用户管理 Identity Center 目录中的用户和组
以下权限策略授予权限以允许用户在 IAM Identity Center 中创建、查看、修改和删除用户和组。
在某些情况下,对 IAM Identity Center 中的用户和组的直接修改受到限制。例如,当选择 Active Directory 或启用了自动预置的外部身份提供商作为身份源时。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso-directory:ListGroupsForUser",
"sso-directory:DisableUser",
"sso-directory:EnableUser",
"sso-directory:SearchGroups",
"sso-directory:DeleteGroup",
"sso-directory:AddMemberToGroup",
"sso-directory:DescribeDirectory",
"sso-directory:UpdateUser",
"sso-directory:ListMembersInGroup",
"sso-directory:CreateUser",
"sso-directory:DescribeGroups",
"sso-directory:SearchUsers",
"sso:ListDirectoryAssociations",
"sso-directory:RemoveMemberFromGroup",
"sso-directory:DeleteUser",
"sso-directory:DescribeUsers",
"sso-directory:UpdateGroup",
"sso-directory:CreateGroup"
],
"Resource": "*"
}
]
}
```
------
## 使用 IAM Identity Center 控制台所需的权限
为了使用户能够正确使用 IAM Identity Center 控制台,需要额外的权限。如果创建的 IAM 策略比所需的最低权限更严格,则控制台将无法按使用该策略的用户的预期运行。以下示例列出了确保 IAM Identity Center 控制台中无错误操作可能需要的权限集。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:DescribeAccountAssignmentCreationStatus",
"sso:DescribeAccountAssignmentDeletionStatus",
"sso:DescribePermissionSet",
"sso:DescribePermissionSetProvisioningStatus",
"sso:DescribeRegisteredRegions",
"sso:GetApplicationInstance",
"sso:GetApplicationTemplate",
"sso:GetInlinePolicyForPermissionSet",
"sso:GetManagedApplicationInstance",
"sso:GetMfaDeviceManagementForDirectory",
"sso:GetPermissionSet",
"sso:GetProfile",
"sso:GetSharedSsoConfiguration",
"sso:GetSsoConfiguration",
"sso:GetSSOStatus",
"sso:GetTrust",
"sso:ListAccountAssignmentCreationStatus",
"sso:ListAccountAssignmentDeletionStatus",
"sso:ListAccountAssignments",
"sso:ListAccountsForProvisionedPermissionSet",
"sso:ListApplicationInstanceCertificates",
"sso:ListApplicationInstances",
"sso:ListApplications",
"sso:ListApplicationTemplates",
"sso:ListDirectoryAssociations",
"sso:ListInstances",
"sso:ListManagedPoliciesInPermissionSet",
"sso:ListPermissionSetProvisioningStatus",
"sso:ListPermissionSets",
"sso:ListPermissionSetsProvisionedToAccount",
"sso:ListProfileAssociations",
"sso:ListProfiles",
"sso:ListTagsForResource",
"sso-directory:DescribeDirectory",
"sso-directory:DescribeGroups",
"sso-directory:DescribeUsers",
"sso-directory:ListGroupsForUser",
"sso-directory:ListMembersInGroup",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers"
],
"Resource": "*"
}
]
}
```
------