使用 AWS 控制台创建 IAM 资源

Redis 云

要使用 AWS 控制台手动创建 IAM 资源，请执行以下步骤。

步骤 1：创建 IAM 实例策略

首先，创建一个用于新实例角色的策略：

在 AWS IAM 控制台中，转到 Policies （策略） > Create policy （创建策略）。

在 JSON 选项卡中，粘贴 RedisLabsInstanceRolePolicy.json 策略文件的内容，如下所示：

查看 RedisLabsInstanceRolePolicy.json

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ec2DescribeAll",
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Sid": "GetUserInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:GetUserPolicy"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "RolePolicyUserReadActions",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:ListUsers",
                "iam:ListPolicies",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:SimulatePrincipalPolicy"
            ],
            "Resource": "*"
        },
        {
            "Sid": "KeyPairActions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:DeleteKeyPair",
                "ec2:ImportKeyPair"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateInstancesSnapshotsVolumesAndTags",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:AttachVolume",
                "ec2:StartInstances",
                "ec2:RunInstances",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:ModifyInstanceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PassRlClusterNodeRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role"
        },
        {
            "Sid": "ResourceAccessManagerActions",
            "Effect": "Allow",
            "Action": [
                "ram:AcceptResourceShareInvitation",
                "ram:GetResourceShares",
                "ram:RejectResourceShareInvitation",
                "ram:GetResourceShareInvitations",
                "ram:DisassociateResourceShare"
            ],
            "Resource": "*"
        },
        {
            "Sid": "NetworkAccess",
            "Effect": "Allow",
            "Action": [
                "ec2:*Vpc*",
                "ec2:*VpcPeering*",
                "ec2:*Subnet*",
                "ec2:*Gateway*",
                "ec2:*Vpn*",
                "ec2:*Route*",
                "ec2:*Address*",
                "ec2:*SecurityGroup*",
                "ec2:*NetworkAcl*",
                "ec2:*DhcpOptions*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeleteInstancesVolumesSnapshotsAndTagsWithIdentiferTag",
            "Effect": "Allow",
            "Action": [
                "ec2:RebootInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:DeleteSnapshot",
                "ec2:DeleteVolume",
                "ec2:DetachVolume",
                "ec2:DeleteTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
                }
            }
        },
        {
            "Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*",
            "Condition": {"StringLike": {"iam:AWSServiceName": "transitgateway.amazonaws.com"}}
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*"
        }
    ]
}



Validate it and then select Review Policy.


Enter RedisLabsInstanceRolePolicy as the policy name and then select Create Policy.


Step 2: Create the service role
To create the role that uses the policy:


In the AWS IAM console, go to Roles and click Create Role.
Select AWS Service as the trusted entity, EC2 as the service
and use case, and click Next: Permissions.
Enter RedisLabsInstanceRolePolicy in the search box to look up the policy we just created,
select it, and click Next: Review.
Name the role redislabs-cluster-node-role and click Create Role.

Step 3: Create the user policy
Now create a policy to assign to the user:



In the AWS IAM console, go to Policies > Create policy.


In the JSON tab, paste the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file.





  
      View RedislabsIAMUserRestrictedPolicy.json
  
      
  
  



{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Ec2DescribeAll",
            "Effect": "Allow",
            "Action": "ec2:Describe*",
            "Resource": "*"
        },
        {
            "Sid": "CloudWatchReadOnly",
            "Effect": "Allow",
            "Action": [
                "cloudwatch:Describe*",
                "cloudwatch:Get*",
                "cloudwatch:List*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "IamUserOperations",
            "Effect": "Allow",
            "Action": [
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ChangePassword"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "RolePolicyUserReadActions",
            "Action": [
                "iam:GetRole",
                "iam:GetPolicy",
                "iam:ListUsers",
                "iam:ListPolicies",
                "iam:ListRolePolicies",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:SimulatePrincipalPolicy"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Sid": "KeyPairActions",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:DeleteKeyPair",
                "ec2:ImportKeyPair"
            ],
            "Resource": "*"
        },
        {
            "Sid": "CreateInstancesSnapshotsVolumesAndTags",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateVolume",
                "ec2:AttachVolume",
                "ec2:StartInstances",
                "ec2:RunInstances",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:ModifyInstanceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Sid": "PassRlClusterNodeRole",
            "Effect": "Allow",
            "Action": "iam:PassRole",
            "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role"
        },
        {
            "Sid": "NetworkAccess",
            "Effect": "Allow",
            "Action": [
                "ec2:*Vpc*",
                "ec2:*VpcPeering*",
                "ec2:*Subnet*",
                "ec2:*Gateway*",
                "ec2:*Vpn*",
                "ec2:*Route*",
                "ec2:*Address*",
                "ec2:*SecurityGroup*",
                "ec2:*NetworkAcl*",
                "ec2:*DhcpOptions*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "DeleteInstancesVolumesSnapshotsAndTagsWithIdentiferTag",
            "Effect": "Allow",
            "Action": [
                "ec2:RebootInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:DeleteVolume",
                "ec2:DeleteSnapshot",
                "ec2:DetachVolume",
                "ec2:DeleteTags"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC"
                }
            }
        },
        {
            "Sid": "Support",
            "Effect": "Allow",
            "Action": "support:*",
            "Resource": "*"
        }
    ]
}

    






Validate the policy and click Review Policy.


Enter RedislabsIAMUserRestrictedPolicy as the policy name and click Create Policy.


Step 4: Create the programmatic access user
Create a user and attach the policy you created:


In the AWS IAM console, go to Users > select Add user.
Name it redislabs-user and check only the Programmatic access checkbox.
Click Next: Permissions.
Select Attach existing policies directly and select
RedislabsIAMUserRestrictedPolicy from the list.
Click Next: Review.
Click Create user.
Download the user credentials and store them in a secure location.

Step 5: Create the console access role
Last, create a role and attach the policy you created:


In the AWS IAM console, go to Roles > select Create role.
Select Another AWS account.
Under Account ID, enter account number 168085023892 (Redis Cloud's AWS account).
Under Options, check the Require MFA checkbox only. Do not check Require external ID.
Click Next: Permissions.
Attach the policy RedisLabsIAMUserRestrictedPolicy to the role.
Click Next: Review.
Name the role redislabs-role and then click Create role.


        

  
  
    
      RATE THIS PAGE
      
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
        
        ★
        
      
      
    
      Back to top ↑

使用 AWS 控制台创建 IAM 资源

步骤 1：创建 IAM 实例策略

Step 2: Create the service role

Step 3: Create the user policy

Step 4: Create the programmatic access user

Step 5: Create the console access role

On this page