设置基于身份的策略示例
以下部分提供了 AWS Systems Manager Automation 服务的基于 IAM 身份的策略示例。要详细了解如何使用这些示例 JSON 策略文档创建基于 IAM 身份的策略,请参阅《IAM 用户指南》中的创建 IAM 策略。
所有示例都包含虚构的账户 ID。不应在 AWS 自有公共文档的 Amazon 资源名称(ARN)中指定账户 ID。
示例
示例 1:允许用户运行自动化文档并查看自动化执行情况
以下示例 IAM 策略允许用户执行以下操作:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/{{DocumentName}}",
"arn:aws:ssm:*:111122223333:automation-execution/*"
]
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
}
]
}
示例 2:允许用户运行自动化文档的特定版本
以下示例 IAM 策略允许用户运行自动化文档的特定版本:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/{{DocumentName}}"
],
"Condition": {
"ForAnyValue:StringEquals": {
"ssm:DocumentVersion": ["5"]
}
}
},
{
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
}
]
}
示例 3:允许用户执行具有特定标签的自动化文档
以下示例 IAM 策略允许用户执行具有特定标签的任何自动化文档:
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/stage": "production"
}
}
},
{
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
},
{
"Action": [
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow"
}
]
}
示例 4:当为自动化执行提供了特定的标签参数时,允许用户运行自动化文档
当为自动化执行提供了特定的标签参数时,以下示例 IAM 策略向用户授予运行自动化文档的权限:
-
运行策略中指定的自动化文档。文档名称由以下条目确定。
arn:aws:ssm:*:111122223333:document/{{DocumentName}}
-
必须为自动化执行提供特定的标签参数。自动化执行资源的标签参数由以下条目确定。
"aws:ResourceTag/stage": "production"
-
停止并向具有指定标签的自动化执行发送信号。
-
查看有关具有指定标签的自动化执行的详细信息。
-
为 SSM 资源添加指定标签
- JSON
-
-
{
"Version":"2012-10-17",
"Statement": [
{
"Action": "ssm:StartAutomationExecution",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:document/{{DocumentName}}"
]
},
{
"Action": [
"ssm:StartAutomationExecution",
"ssm:StopAutomationExecution",
"ssm:GetAutomationExecution",
"ssm:DescribeAutomationExecutions",
"ssm:DescribeAutomationStepExecutions",
"ssm:SendAutomationSignal"
],
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"aws:ResourceTag/environment": "beta"
}
}
},
{
"Action": "ssm:AddTagsToResource",
"Effect": "Allow",
"Resource": [
"arn:aws:ssm:*:111122223333:automation-execution/*"
]
}
]
}
