Skip to main content

跨账户执行角色

此角色驻留在托管账户中,由主账户担任。

信任策略

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::${MainAccount}:role/${ApiHandlerRole}",
"arn:aws:iam::${MainAccount}:role/${WorkflowLoopRunnerRole}",
"arn:aws:iam::${MemberAccount}:root"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": ${ExternalId}
}
}
}
]
}

上面列出的主要是:

  • ApiHandlerRole:主 AWS 账户中与 Service Workbench 后端 API 执行关联的角色。
  • WorkflowLoopRunnerRole:主 AWS 账户中的一个角色,与后端 API 调用启动的后台工作流执行相关联。
  • 托管账户本身。

权限

这些策略支持运行分析。

CloudFormation

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents"
],
"Resource": "*",
"Effect": "Allow"
}
]
}

Cost Explorer

{
"Statement": {
"Action": ["ce:*"],
"Resource": "*",
"Effect": "Allow"
}
}
tip

您需要确认Cost Explorer在托管账户中已启动。请参阅更多信息.

EC2

{
"Statement": {
"Action": ["ec2:*"],
"Resource": "*",
"Effect": "Allow"
}
}

EMR

{
"Statement": {
"Action": ["elasticmapreduce:*"],
"Resource": "*",
"Effect": "Allow"
}
}

IAM

{
"Statement": {
"Action": ["iam:*"],
"Resource": "*",
"Effect": "Allow"
}
}

S3

{
"Statement": {
"Action": ["s3:*"],
"Resource": "*",
"Effect": "Allow"
}
}

SageMaker

{
"Statement": {
"Action": ["sagemaker:*"],
"Resource": "*",
"Effect": "Allow"
}
}

SSM

{
"Statement": {
"Action": ["ssm:*"],
"Resource": "*",
"Effect": "Allow"
}
}