Skip to main content

Master账户角色

此角色位于Master AWS Account中,由Main AWS Account担任。

Master 账户角色信任策略

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${MainAccount}:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": ${ExternalId}
}
}
}
]
}

Master 账户角色权限

以下详细说明了所需的托管和内联策略权限。

托管策略: AWSOrganizationsFullAccess

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "organizations:*",
"Resource": "*"
}
]
}
danger

您应将操作限制为 createAccount, describeCreateAccountStatusdescribeAccount

内联策略: sts:AssumeRole

该策略用于控制 Master AWS AccountMaster AWS Account之间的角色:

{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole"
}
}