需求
前提:需要有两个阿里云主账号作为两家使用阿里云的企业,需要使用授权主账号授权给被授权主账号的ram子账号,然后登陆ram子账号通过切换身份方式登陆
被授权企业账号:pool****
授权企业账号:燎原*****
实验目的及过程:将“燎原*****”将北京一台RDS的可读以及监控权限授权给“pool****”,授权主账号通过创建角色的方式授权给被授权主账号创建的ram账号,通过被授权账号的ram子账号登陆并且换身份的方式访问主账号的RDS资源
实验步骤
主账号RDS资源:授权实例ID:rm-2ze89cbt619y6a056
授权主账号在访问控制中创建角色:
配置角色中选择其他云账号,输入被授权账号的主账号ID
创建授权策略精确授权:
创建权限策略(如:strategy_for_pool*****)
可以选择可视化编辑方式和脚本编辑方式:
添加资源类型、读写权限以及添加资源(北京RDS实例)
脚本编辑方式(更灵活):
自治服务授权配置模版:
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": [
"rds:DescribeBinlogFiles",
"rds:DescribeBackupTasks",
"rds:DescribeBackups",
"rds:DescribeCrossBackupMetaList",
"rds:DescribeCrossRegionBackupDBInstance",
"rds:DescribeCrossRegionBackups",
"rds:DescribeDatabases",
"rds:DescribeCrossRegionLogBackupFiles",
"rds:DescribeDBInstanceAttribute",
"rds:DescribeDBInstanceByTags",
"rds:DescribeAccounts",
"rds:DescribeActionEventPolicy",
"rds:DescribeAvailableClasses",
"rds:DescribeAvailableCrossRegion",
"rds:DescribeAvailableRecoveryTime",
"rds:DescribeAvailableZones",
"rds:DescribeBackupPolicy",
"rds:DescribeDBInstanceDetail",
"rds:DescribeDBInstanceHAConfig",
"rds:DescribeDBInstanceIpHostname",
"rds:DescribeDBInstanceIPArrayList",
"rds:DescribeDBInstanceMonitor",
"rds:DescribeDBInstanceNetInfo",
"rds:DescribeDBInstancePerformance",
"rds:DescribeDBInstanceProxyConfiguration",
"rds:DescribeDBInstances",
"rds:DescribeDBInstancesAsCsv",
"rds:DescribeDBInstancesByExpireTime",
"rds:DescribeDBInstancesByPerformance",
"rds:DescribeDBInstancesOverview",
"rds:DescribeDBInstanceSSL",
"rds:DescribeDBInstanceTDE",
"rds:DescribeDBProxy",
"rds:DescribeLocalAvailableRecoveryTime",
"rds:DescribeInstanceCrossBackupPolicy",
"rds:DescribeInstanceAutoRenewalAttribute",
"rds:DescribeHostAccounts",
"rds:DescribeHASwitchConfig",
"rds:CheckAccountNameAvailable",
"rds:CheckCloudResourceAuthorized",
"rds:CheckCreateDdrDBInstance",
"rds:CheckDBNameAvailable",
"rds:CheckRecoveryConditions",
"rds:CheckRegionSupportBackupEncryption",
"rds:DescribeBackupDatabase",
"rds:DescribeDBProxyEndpoint",
"rds:DescribeDBProxyPerformance",
"rds:DescribeDedicatedHostAttribute",
"rds:DescribeDedicatedHostGroups",
"rds:DescribeDedicatedHosts",
"rds:DescribeDetachedBackups",
"rds:DescribeDiagnosticReportList",
"rds:DescribeDTCSecurityIpHostsForSQLServer",
"rds:DescribeErrorLogs",
"rds:DescribeEvents",
"rds:DescribeLogBackupFiles",
"rds:DescribeMetaList",
"rds:DescribeMigrateTasks",
"rds:DescribeModifyParameterLog",
"rds:DescribeNextEventForSign",
"rds:DescribeOssDownloads",
"rds:DescribeParameterGroup",
"rds:DescribeParameterGroups",
"rds:DescribeParameters",
"rds:DescribeProxyFunctionSupport",
"rds:DescribeRdsResourceSettings",
"rds:DescribeReadDBInstanceDelay",
"rds:DescribeResourceUsage",
"rds:DescribeSlowLogRecords",
"rds:DescribeSlowLogs",
"rds:DescribeSQLCollectorPolicy",
"rds:DescribeSQLCollectorRetention",
"rds:DescribeSQLLogFiles",
"rds:DescribeSQLLogRecords",
"rds:DescribeSQLLogReports",
"rds:DescribeTags",
"rds:DescribeTasks",
"rds:ListTagResources",
"rds:RequestServiceOfCloudDBExpert",
"rds:DescribeGadInstances",
"hdm:Get*",
"hdm:Describe*",
"hdm:Query*"
],
"Resource": "acs:rds:cn-beijing:1637691491324508:dbinstance/rm-2ze89cb**********"
}
]
}其中:
RDS读权限
"rds:Des"
自治服务读权限:
"hdm:Get",
"hdm:Describe", "hdm:Query"
授权:
被授权账号登陆主账号,创建一个RAM用户并授权STS
获取登陆密码,授权RAM
登陆被授权账号RAM子账号,登陆后切换身份
使用授权主账号的ID(或企业别名)登陆
身份发生变化,使用rds-ram的用户扮演for-pool*****的角色访问到授权主账号授权的资源
成功访问到资源
发布者:LJH,转发请注明出处:https://www.ljh.cool/37003.html
