AWS SSM: aws:domainJoin？

Question

我正在尝试设置EC2角色，以允许实例使用New-SSMAssociation powershell cmdlet加入域。有人知道完成此任务所需的最低权限是什么吗？

我在这里读过这篇文章，但是为了支持https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-dx-domain/策略而弃用了AmazonEC2RoleforSSM，但是当将该策略与AmazonSSMManagedInstanceCore策略结合使用时，我得到了一个错误: New-SSMAssociation : User: arn:aws:sts:assumed role/MyEC2Role/无权执行: ssm:CreateAssociation https://aws.amazon.com/premiumsupport/knowledge-center/ec2-systems-manager-dx-domain/：arn:aws:ec2:us-east-1::instance/

我能够让它工作的唯一方法是使用ssm:*，但是如果可能的话，我不希望这样做。我使用的组合策略是(不带ssm:*)：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeInstanceStatus"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:CreateAssociation"
            ],
            "Resource": "arn:aws:ssm:<region>:<account-id>:document/JoinDomain"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ds:CreateComputer",
                "ds:DescribeDirectories"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:DescribeAssociation",
                "ssm:GetDeployablePatchSnapshotForInstance",
                "ssm:GetDocument",
                "ssm:DescribeDocument",
                "ssm:GetManifest",
                "ssm:GetParameters",
                "ssm:ListAssociations",
                "ssm:ListInstanceAssociations",
                "ssm:PutInventory",
                "ssm:PutComplianceItems",
                "ssm:PutConfigurePackageResult",
                "ssm:UpdateAssociationStatus",
                "ssm:UpdateInstanceAssociationStatus",
                "ssm:UpdateInstanceInformation"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssmmessages:CreateControlChannel",
                "ssmmessages:CreateDataChannel",
                "ssmmessages:OpenControlChannel",
                "ssmmessages:OpenDataChannel"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ec2messages:AcknowledgeMessage",
                "ec2messages:DeleteMessage",
                "ec2messages:FailMessage",
                "ec2messages:GetEndpoint",
                "ec2messages:GetMessages",
                "ec2messages:SendReply"
            ],
            "Resource": "*"
        }
    ]
}

Answer 1

在我们的环境中工作的偷猎者。

创建具有以下内容的IAM角色

"Statement": [
        {
            "Sid": "SSMDocument",
            "Effect": "Allow",
            "Action": [
                "ssm:CreateAssociation"
            ],
            "Resource": [
                "arn:aws:ec2:${AWS_REGION}:${AWS_ACCOUNT}:instance/*",
                "arn:aws:ssm:${AWS_REGION}:${AWS_ACCOUNT}:document/${SSM_DOCUMENT_NAME}"
            ]
        }
    ]

外加预定义的策略AmazonSSMDirectoryServiceAccess和AmazonSSMManagedInstanceCore

userdata如下：

<powershell>
[Environment]::SetEnvironmentVariable("ECS_ENABLE_AWSLOGS_EXECUTIONROLE_OVERRIDE", "true", "Machine")
[Environment]::SetEnvironmentVariable("ECS_ENABLE_CONTAINER_METADATA", "true", "Machine")
Import-Module ECSTools
Initialize-ECSAgent -Cluster '${ECS_CLUSTER_NAME}' -EnableTaskIAMRole
Set-DefaultAWSRegion -Region ${AWS_REGION}
Set-Variable -name instance_id -value (Invoke-Restmethod -uri http://169.254.169.254/latest/meta-data/instance-id)
New-SSMAssociation -Name "${SSM_DOCUMENT_NAME}"  -Target @{Key="instanceids";Values=@($instance_id)}
</powershell>

SSM文档的terraform代码片段

data "aws_directory_service_directory" "domain_controller" {
  directory_id = var.directory_id
}
data "template_file" "userdata" {
  template = file("${path.module}/files/userdata.ps1")
  vars = {
    SSM_DOCUMENT_NAME = aws_ssm_document.ad_join_domain.name
    AWS_REGION        = var.region
    ECS_CLUSTER_NAME  = local.cluster_name
  }
}

resource "aws_ssm_document" "ad_join_domain" {
  name          = "${var.environment}-ad-join-domain"
  document_type = "Command"
  content = jsonencode(
    {
      "schemaVersion" = "2.2"
      "description"   = "join aws directory services domain"
      "mainSteps" = [
        {
          "action" = "aws:domainJoin",
          "name"   = "domainJoin",
          "inputs" = {
            "directoryId" : data.aws_directory_service_directory.domain_controller.id,
            "directoryName" : data.aws_directory_service_directory.domain_controller.name
            "dnsIpAddresses" : sort(data.aws_directory_service_directory.domain_controller.dns_ip_addresses)
          }
        }
      ]
    }
  )
  tags = {
    environment = var.environment
  }
}