那些遇到过的问题

具有多重身份验证的 AWS CodeCommit。不断出现致命错误:无法访问..请求的 URL 返回错误:403

Jar*_*rad 6 amazon-web-services aws-codecommit multi-factor-authentication

有什么问题?

我的 IAM 用户有两个策略:AdministratorAccessForceMultiFactorAuthentication。当附加ForceMultiFactorAuthentication策略时,从 Windows 命令行尝试对存储库执行任何操作时都会收到 403 错误(例如:git clone ..)。当我删除该策略时,我可以使用该存储库(例如:git clone有效)。

我的问题

我的ForceMultiFactorAuthentication策略是否存在阻止代码提交工作的因素?如何通过多重身份验证正确设置 CodeCommit?

一般休闲步骤

  1. 创建名为“Admins”的 IAM 用户组,并具有 AdministratorAccess 和 ForceMultiFactorAuthentication 权限
  2. 创建非根 IAM 用户
  3. 将非根 IAM 用户添加到“Admins”组
  4. 以非根 IAM 用户身份登录,在“安全凭证”选项卡上设置 MFA 身份验证(扫描 QR 码等),并为 AWS CodeCommit 创建 HTTPS Git 凭证
  5. 在 CodeCommit 中创建存储库
  6. 从命令行,git clone https://git-codecommit...在本地尝试
  7. 命令行返回fatal: unable to access 'https://git-codecommit...': The requested URL returned error: 403
  8. 我的非根 IAM 用户从“Admins”组中删除ForceMultiFactorAuthentication策略
  9. git clone ..它克隆了存储库。有用。

没有意义,因为...

我的 IAM 用户具有AdministratorAccess。另外,策略摘要显示 CodeCommit 拥有对所有资源的完全访问权限。

我的ForceMultiFactorAuthentication策略如下(与AWS 提供的策略非常相似):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowViewAccountInfo",
            "Effect": "Allow",
            "Action": [
                "iam:GetAccountPasswordPolicy",
                "iam:GetAccountSummary",
                "iam:ListVirtualMFADevices",
                "iam:ListUsers"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowManageOwnPasswords",
            "Effect": "Allow",
            "Action": [
                "iam:ChangePassword",
                "iam:GetUser"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnAccessKeys",
            "Effect": "Allow",
            "Action": [
                "iam:CreateAccessKey",
                "iam:DeleteAccessKey",
                "iam:ListAccessKeys",
                "iam:UpdateAccessKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSigningCertificates",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSigningCertificate",
                "iam:ListSigningCertificates",
                "iam:UpdateSigningCertificate",
                "iam:UploadSigningCertificate"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnSSHPublicKeys",
            "Effect": "Allow",
            "Action": [
                "iam:DeleteSSHPublicKey",
                "iam:GetSSHPublicKey",
                "iam:ListSSHPublicKeys",
                "iam:UpdateSSHPublicKey",
                "iam:UploadSSHPublicKey"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnGitCredentials",
            "Effect": "Allow",
            "Action": [
                "iam:CreateServiceSpecificCredential",
                "iam:DeleteServiceSpecificCredential",
                "iam:ListServiceSpecificCredentials",
                "iam:ResetServiceSpecificCredential",
                "iam:UpdateServiceSpecificCredential"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnVirtualMFADevice",
            "Effect": "Allow",
            "Action": [
                "iam:CreateVirtualMFADevice",
                "iam:DeleteVirtualMFADevice"
            ],
            "Resource": "arn:aws:iam::*:mfa/${aws:username}"
        },
        {
            "Sid": "AllowManageOwnUserMFA",
            "Effect": "Allow",
            "Action": [
                "iam:DeactivateMFADevice",
                "iam:EnableMFADevice",
                "iam:ListMFADevices",
                "iam:ResyncMFADevice"
            ],
            "Resource": "arn:aws:iam::*:user/${aws:username}"
        },
        {
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken",
                "iam:ListUsers"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
    ]
}
Run Code Online (Sandbox Code Playgroud)

Jyo*_*r S 11

策略中的以下部分ForceMultiFactorAuthentication拒绝未使用 MFA 进行身份验证的all请求(本节中提到的操作除外)NotAction

{
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken",
                "iam:ListUsers"
            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
Run Code Online (Sandbox Code Playgroud)

通过HTTPS GIT credentials,您可以使用用户名和密码对 CodeCommit 存储库进行身份验证。没有使用会话令牌(基本上是 MFA 代码)。因此无法验证 MFA 进行身份验证。结果您的请求被拒绝。CodeCommit 的 SSH 密钥对身份验证的情况与此类似。

要解决此问题,您可以在策略列表codecommit中添加所需的操作。您还NotAction需要包括操作。kms因为 CodeCommit 存储库中的数据在传输过程中和静态时都是加密的。因此,当您从存储库执行克隆、拉取或推送活动时,需要获得加密和解密操作的权限。

以下策略修复您的 CodeCommit 403 错误。

{
            "Sid": "DenyAllExceptListedIfNoMFA",
            "Effect": "Deny",
            "NotAction": [
                "iam:CreateVirtualMFADevice",
                "iam:EnableMFADevice",
                "iam:GetUser",
                "iam:ListMFADevices",
                "iam:ListVirtualMFADevices",
                "iam:ResyncMFADevice",
                "sts:GetSessionToken",
                "iam:ListUsers",
                "codecommit:GitPull",
                "codecommit:GitPush",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:DescribeKey"

            ],
            "Resource": "*",
            "Condition": {
                "BoolIfExists": {
                    "aws:MultiFactorAuthPresent": "false"
                }
            }
        }
Run Code Online (Sandbox Code Playgroud)

由于您已将管理员访问策略附加到您的用户,因此您不需要 ForceMultiFactorAuthentication 策略的全部内容。上述政策就足够了。如果您想为所有 IAM 用户(非管理员用户)启用 MFA 限制,请使用策略的全部内容将其附加到用户。

归档时间:

查看次数:

3712 次

最近记录:

4 年,9 月 前
相关归档
Python3.6 ImportError:无法导入名称'main'Linux RHEL6 24
你如何在amazon beanstalk和tomcat上启用html/javascript/css的gzip 18
无服务器部署抛出错误:“不支持“服务”属性的对象表示法。直接使用服务名称设置“服务”属性。” 16
如何公开ECS存储库? 9
是AWS,特别是受SSL"Heart Bleed"攻击影响的负载均衡器服务吗? 8
aws-cli中sqs的send-message命令中消息属性的简写语法 7
在PostgreSQL RDS上创建表空间 7
Kinesis Lambda消费者最小批量大小 7
Elastic Beanstalk是否支持亚马逊的Aurora数据库? 6
Python3.6 / OpenCV / Numpy / Amazon Lambda ImportError:numpy.core.multiarray 导入失败 5
难疑归档
使用'for'循环迭代字典 2901
查找当前目录和文件的目录 2007
短路Array.forEach就像调用break 1429
编译用于高放射性环境的应用程序 1414
谁正在侦听Mac OS X上的给定TCP端口? 1267
从字典中删除元素 1243
检查jQuery中是否存在元素 1209
如何撤消git reset --hard HEAD~1? 1083
基于容器宽度的字体缩放 1083
错误消息"未找到与约束合同名称匹配的导出" 1057