我正在遵循本指南,但它不起作用,我的要求是将“权限集”(例如“支持用户”)分配给包含 AWS Organizations 中的多个账户的特定 OU
但我没有看到 AWS 的示例工作,有没有不使用标签的方法?并且只允许将我的权限设置为特定 OU 的特定内容?
例如?我的 SSO 实例:
arn:aws:sso:::instance/ssoins-722XXXXXXXXX85
我在 AWS 组织中的特定 ou:
arn:aws:organizations::662XXXXXX94:ou/o-akoxg86wr1/ou-xlq4-vhybzk32
来源: AWS-SSO-org
任何指针?非常感谢
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegatedOUAdmin",
"Effect": "Allow",
"Action": [
"sso:ProvisionPermissionSet",
"sso:CreateAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:UpdateInstanceAccessControlAttributeConfiguration",
"sso:PutInlinePolicyToPermissionSet",
"sso:DeleteAccountAssignment",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreatePermissionSet",
"sso:UpdatePermissionSet",
"sso:CreateInstanceAccessControlAttributeConfiguration",
"sso:DeleteInstanceAccessControlAttributeConfiguration",
"sso:ProvisionApplicationInstanceForAWSAccount"
],
"Resource": "arn:aws:sso:::permissionSet/*/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/Environment": "Development",
"aws:ResourceTag/OU": "Test"
}
}
},
{
"Sid": "Instance",
"Effect": "Allow",
"Action": [
"sso:ProvisionPermissionSet",
"sso:CreateAccountAssignment",
"sso:DeleteInlinePolicyFromPermissionSet",
"sso:UpdateInstanceAccessControlAttributeConfiguration",
"sso:PutInlinePolicyToPermissionSet",
"sso:DeleteAccountAssignment",
"sso:DetachManagedPolicyFromPermissionSet",
"sso:DeletePermissionSet",
"sso:AttachManagedPolicyToPermissionSet",
"sso:CreatePermissionSet",
"sso:UpdatePermissionSet",
"sso:CreateInstanceAccessControlAttributeConfiguration",
"sso:DeleteInstanceAccessControlAttributeConfiguration",
"sso:ProvisionApplicationInstanceForAWSAccount"
],
"Resource": [
"arn:aws:sso:::instance/ssoins-722XXXXXXXX85",
"arn:aws:organizations::662XXXXXX94:ou/o-akoxg86wr1/ou-xlq4-vhybzk32"
]
}
}
]
} 在此处输入代码