Skip to main content

Master账户角色

此角色位于Master AWS Account中，由Main AWS Account担任。

Master 账户角色信任策略

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::${MainAccount}:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": ${ExternalId}
        }
      }
    }
  ]
}

Master 账户角色权限

以下详细说明了所需的托管和内联策略权限。

托管策略: AWSOrganizationsFullAccess

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "organizations:*",
            "Resource": "*"
        }
    ]
}

danger

您应将操作限制为 createAccount, describeCreateAccountStatus 和 describeAccount。

内联策略: sts:AssumeRole

该策略用于控制 Master AWS Account 和 Master AWS Account之间的角色：

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::*:role/OrganizationAccountAccessRole"
    }
}

Master 账户角色信任策略
Master 账户角色权限
- 托管策略: AWSOrganizationsFullAccess
- 内联策略: sts:AssumeRole