本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。 # `AWSSupport-GrantPermissionsToIAMUser` **描述** 此运行手册将指定的权限授予 IAM 组(新建组或现有组),并将现有的 IAM 用户添加到此组。您可以选择的策略:[账单](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/job-function/Billing$serviceLevelSummary)或[支持](https://console.aws.amazon.com/iam/home?#/policies/arn:aws:iam::aws:policy/AWSSupportAccess$serviceLevelSummary)。要为 IAM 启用账单访问权限,请注意还需要激活 [IAM 用户和联合用户对“账单和成本管理”页面的访问权限](https://docs.aws.amazon.com/console/iam/billing-enable)。 **重要** 如果提供的是现有 IAM 组,则此组中的所有当前 IAM 用户都将收到新权限。 [运行此自动化(控制台)](https://console.aws.amazon.com/systems-manager/automation/execute/AWSSupport-GrantPermissionsToIAMUser) **文档类型** 自动化 **所有者** Amazon **平台** Linux、macOS、Windows **参数** + AutomationAssumeRole 类型:字符串 描述:(可选)允许 Systems Manager Automation 代表您执行操作 AWS Identity and Access Management (IAM) 角色的 Amazon 资源名称(ARN)。如果未指定角色,Systems Manager Automation 将使用启动此运行手册的用户的权限。 + IAMGroup名称 类型:字符串 默认: ExampleSupportAndBillingGroup 描述:(必需)可以是新组或现有组。必须符合 [IAM 实体名称限制](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-names)。 + IAMUser名称 类型:字符串 默认: ExampleUser 描述:(必需)必须是现有用户。 + LambdaAssumeRole 类型:字符串 描述:(可选)Lambda担任的角色的 ARN。 + Permissions 类型:字符串 有效值: SupportFullAccess \$1 BillingFullAccess \$1 SupportAndBillingFullAccess 默认: SupportAndBillingFullAccess 描述:(必需)选择以下值之一:`SupportFullAccess` 授予支持中心的完全访问权限。`BillingFullAccess` 授予“账单”控制面板的完全访问权限。`SupportAndBillingFullAccess` 授予支持中心和“账单”控制面板的完全访问权限。有关策略的更多信息,请参阅文档详细信息。 **所需的 IAM 权限** `AutomationAssumeRole` 参数需要执行以下操作才能成功使用运行手册。 所需的权限取决于 `AWSSupport-GrantPermissionsToIAMUser` 的运行方式。 **以当前登录的用户或角色运行** 建议附加 `AmazonSSMAutomationRole` Amazon 托管策略以及以下额外权限,以便创建 Lambda 函数和将 IAM 角色传递给 Lambda: ------ #### [ JSON ] **** ``` { "Version":"2012-10-17", "Statement": [ { "Action": [ "lambda:InvokeFunction", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource": "arn:aws:lambda:*:111122223333:function:AWSSupport-*", "Effect": "Allow" }, { "Effect": "Allow", "Action": [ "iam:CreateGroup", "iam:AddUserToGroup", "iam:ListAttachedGroupPolicies", "iam:GetGroup", "iam:GetUser" ], "Resource": [ "arn:aws:iam::*:user/*", "arn:aws:iam::*:group/*" ] }, { "Effect": "Allow", "Action": [ "iam:AttachGroupPolicy" ], "Resource": "*", "Condition": { "ArnEquals": { "iam:PolicyArn": [ "arn:aws:iam::aws:policy/job-function/Billing", "arn:aws:iam::aws:policy/AWSSupportAccess" ] } } }, { "Effect": "Allow", "Action": [ "iam:ListAccountAliases", "iam:GetAccountSummary" ], "Resource": "*" } ] } ``` ------ **使用 AutomationAssumeRole 和 LambdaAssumeRole** 用户在运行手册上必须具有 **ssm: StartAutomationExecution** 权限,对作为**AutomationAssumeRole**和传递**的 IAM 角色必须具有 iam: PassRole** 权限。**LambdaAssumeRole**以下是每个 IAM 角色所需的权限: ``` AutomationAssumeRole { "Version": "2012-10-17", "Statement": [ { "Action": [ "lambda:InvokeFunction", "lambda:CreateFunction", "lambda:DeleteFunction", "lambda:GetFunction" ], "Resource": "arn:aws:lambda:*:ACCOUNTID:function:AWSSupport-*", "Effect": "Allow" } ] } ``` ``` LambdaAssumeRole { "Version": "2012-10-17", "Statement": [ { "Effect" : "Allow", "Action" : [ "iam:CreateGroup", "iam:AddUserToGroup", "iam:ListAttachedGroupPolicies", "iam:GetGroup", "iam:GetUser" ], "Resource" : [ "arn:aws:iam::*:user/*", "arn:aws:iam::*:group/*" ] }, { "Effect" : "Allow", "Action" : [ "iam:AttachGroupPolicy" ], "Resource": "*", "Condition": { "ArnEquals": { "iam:PolicyArn": [ "arn:aws:iam::aws:policy/job-function/Billing", "arn:aws:iam::aws:policy/AWSSupportAccess" ] } } }, { "Effect" : "Allow", "Action" : [ "iam:ListAccountAliases", "iam:GetAccountSummary" ], "Resource" : "*" } ] } ``` **文档步骤** 1. `aws:createStack`-运行 CloudFormation 模板创建 Lambda 函数。 1. `aws:invokeLambdaFunction` - 运行 Lambda 以设置 IAM 权限。 1. `aws:deleteStack`-删除 CloudFormation 模板。 **输出** configureIAM.Payload