跨账户执行角色

此角色驻留在托管账户中，由主账户担任。

信任策略

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::${MainAccount}:role/${ApiHandlerRole}",
          "arn:aws:iam::${MainAccount}:role/${WorkflowLoopRunnerRole}",
          "arn:aws:iam::${MemberAccount}:root"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": ${ExternalId}
        }
      }
    }
  ]
}

上面列出的主要是：

• ApiHandlerRole：主 AWS 账户中与 Service Workbench 后端 API 执行关联的角色。
• WorkflowLoopRunnerRole：主 AWS 账户中的一个角色，与后端 API 调用启动的后台工作流执行相关联。
• 托管账户本身。

权限

这些策略支持运行分析。

CloudFormation

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "cloudformation:CreateStack",
        "cloudformation:DeleteStack",
        "cloudformation:DescribeStacks",
        "cloudformation:DescribeStackEvents"
      ],
      "Resource": "*",
      "Effect": "Allow"
    }
  ]
}

Cost Explorer

{
  "Statement": {
    "Action": ["ce:*"],
    "Resource": "*",
    "Effect": "Allow"
  }
}

tip

您需要确认Cost Explorer在托管账户中已启动。请参阅更多信息.

EC2

{
  "Statement": {
    "Action": ["ec2:*"],
    "Resource": "*",
    "Effect": "Allow"
  }
}

EMR

{
  "Statement": {
    "Action": ["elasticmapreduce:*"],
    "Resource": "*",
    "Effect": "Allow"
  }
}

IAM

{
  "Statement": {
    "Action": ["iam:*"],
    "Resource": "*",
    "Effect": "Allow"
  }
}

S3

{
  "Statement": {
    "Action": ["s3:*"],
    "Resource": "*",
    "Effect": "Allow"
  }
}

SageMaker

{
  "Statement": {
    "Action": ["sagemaker:*"],
    "Resource": "*",
    "Effect": "Allow"
  }
}

SSM

{
  "Statement": {
    "Action": ["ssm:*"],
    "Resource": "*",
    "Effect": "Allow"
  }
}