FIS 实验环境权限配置指南¶
目的: 为 EC2 实例配置最小权限,使其能通过 CloudFormation 部署 FIS 实验相关资源(IAM Role、FIS 实验模板、CloudWatch Dashboard、EKS Addon),而 EC2 自身无需拥有 IAM/FIS/CloudWatch 写入权限。
原理: 采用 CloudFormation Service Role 模式,将资源创建权限委托给 CFN Service Role,EC2 只需
iam:PassRole将该角色传递给 CloudFormation。
架构说明¶
EC2 Instance Profile CFN Service Role
┌──────────────────────────────────┐ ┌──────────────────────────────────────────┐
│ 托管策略: │ │ Trust: cloudformation.amazonaws.com │
│ - ReadOnlyAccess │ │ │
│ - AmazonSSMManagedInstanceCore │ │ 托管策略: │
│ │ │ - PowerUserAccess │
│ 内联策略 FIS-CloudFormation-Access│ │ │
│ - cloudformation:* │PassRole │ 内联策略 FISDeploymentPolicy: │
│ (条件: RoleArn=右侧Role) │────────>│ - iam:CreateRole/DeleteRole │
│ - iam:PassRole (to CFN) │ │ - iam:AttachRolePolicy/DetachRolePolicy │
│ - fis:StartExperiment 等 │ │ - iam:PassRole (to FIS/EKS/Lambda/SSM) │
│ │ │ - fis:* │
│ │ │ - eks:CreateAddon/DeleteAddon 等 │
│ │ │ - lambda:Create/Delete/Update 等 │
│ │ │ - cloudwatch:* │
│ │ │ - logs:* │
│ │ │ - iam:CreateServiceLinkedRole │
└──────────────────────────────────┘ └──────────────────────────────────────────┘
一、CFN Service Role(需管理员创建,一次性)¶
1.1 信任策略(Trust Policy)¶
只允许 CloudFormation 服务 assume 此角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "cloudformation.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
1.2 权限策略(Permissions Policy)¶
此策略授予 CloudFormation 创建 FIS 实验所需的所有资源权限,通过资源名称前缀限制作用范围:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "IAMRoleManagement",
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:GetRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:TagRole",
"iam:UntagRole"
],
"Resource": "arn:aws:iam::123456789012:role/*"
},
{
"Sid": "IAMPassRoleToServices",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::123456789012:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"fis.amazonaws.com",
"eks.amazonaws.com",
"lambda.amazonaws.com",
"ssm.amazonaws.com"
]
}
}
},
{
"Sid": "FISFullAccess",
"Effect": "Allow",
"Action": "fis:*",
"Resource": "*"
},
{
"Sid": "CloudWatchFullAccess",
"Effect": "Allow",
"Action": "cloudwatch:*",
"Resource": "*"
},
{
"Sid": "CloudWatchLogsFullAccess",
"Effect": "Allow",
"Action": "logs:*",
"Resource": "*"
},
{
"Sid": "CreateServiceLinkedRole",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "arn:aws:iam::*:role/aws-service-role/*"
},
{
"Sid": "EKSAddonManagement",
"Effect": "Allow",
"Action": [
"eks:CreateAddon",
"eks:UpdateAddon",
"eks:DeleteAddon",
"eks:DescribeAddon",
"eks:DescribeAddonVersions",
"eks:DescribeCluster"
],
"Resource": "*"
},
{
"Sid": "LambdaManagement",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:ListFunctions",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:InvokeFunction",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": "*"
}
]
}
1.3 创建命令¶
# 1. 创建角色
aws iam create-role \
--role-name CFN-ServiceRole-FIS \
--assume-role-policy-document '{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {"Service": "cloudformation.amazonaws.com"},
"Action": "sts:AssumeRole"
}]
}' \
--description "CloudFormation Service Role for FIS experiment deployment"
# 2. 附加权限策略(将上面 1.2 的 JSON 保存为 cfn-service-role-policy.json)
aws iam put-role-policy \
--role-name CFN-ServiceRole-FIS \
--policy-name FISDeploymentPolicy \
--policy-document file://cfn-service-role-policy.json
# 3. 附加 PowerUserAccess 托管策略
aws iam attach-role-policy \
--role-name CFN-ServiceRole-FIS \
--policy-arn arn:aws:iam::aws:policy/PowerUserAccess
二、EC2 Instance Profile 附加策略¶
以下策略需要附加到 EC2 实例的 Instance Profile 角色上。EC2 已有的只读权限保持不变,仅需额外添加此策略:
注意:
cloudformation:RoleArn条件键仅对CreateStack/UpdateStack/DeleteStack有效,
CreateChangeSet/ExecuteChangeSet等操作不支持此条件键,因此需要拆分为两个 Statement。
CreateStack/UpdateStack/DeleteStack通过条件键强制必须使用指定的 Service Role,
而 ChangeSet 操作本身不会直接创建资源(资源创建由关联的 Stack 操作完成,受条件键约束)。
2.1 内联策略 FIS-CloudFormation-Access¶
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudFormationWithRoleCondition",
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:DeleteStack"
],
"Resource": "arn:aws:cloudformation:us-west-2:123456789012:stack/*/*",
"Condition": {
"StringEquals": {
"cloudformation:RoleArn": "arn:aws:iam::123456789012:role/CFN-ServiceRole-FIS"
}
}
},
{
"Sid": "CloudFormationChangeSetAndDescribe",
"Effect": "Allow",
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:ExecuteChangeSet",
"cloudformation:DeleteChangeSet",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeChangeSet",
"cloudformation:GetTemplate",
"cloudformation:ListStacks"
],
"Resource": "arn:aws:cloudformation:us-west-2:123456789012:stack/*/*"
},
{
"Sid": "CloudFormationValidateAny",
"Effect": "Allow",
"Action": "cloudformation:ValidateTemplate",
"Resource": "*"
},
{
"Sid": "PassCFNServiceRole",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::123456789012:role/CFN-ServiceRole-FIS",
"Condition": {
"StringEquals": {
"iam:PassedToService": "cloudformation.amazonaws.com"
}
}
},
{
"Sid": "FISExperimentExecution",
"Effect": "Allow",
"Action": [
"fis:StartExperiment",
"fis:StopExperiment",
"fis:GetExperiment",
"fis:ListExperiments"
],
"Resource": "*"
}
]
}
附加命令¶
# 将上面的 JSON 保存为 ec2-fis-cfn-policy.json,然后附加到 EC2 Instance Profile 的角色上
# 替换 <EC2_ROLE_NAME> 为实际的 EC2 Instance Profile 角色名
aws iam put-role-policy \
--role-name <EC2_ROLE_NAME> \
--policy-name FIS-CloudFormation-Access \
--policy-document file://ec2-fis-cfn-policy.json
2.2 附加 ReadOnlyAccess¶
为 EC2 角色附加 AWS 托管的 ReadOnlyAccess 策略,确保实验过程中可读取所有资源状态:
aws iam attach-role-policy \
--role-name <EC2_ROLE_NAME> \
--policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
三、使用方式¶
管理员完成上述配置后,EC2 上部署 FIS 实验时需在 aws cloudformation deploy 命令中指定 --role-arn:
aws cloudformation deploy \
--template-file cfn-template.yaml \
--stack-name fis-rds-reboot-demo-mysql-xxxxx \
--role-arn arn:aws:iam::123456789012:role/CFN-ServiceRole-FIS \
--capabilities CAPABILITY_NAMED_IAM \
--region us-west-2
四、安全约束总结¶
| 约束项 | 实现方式 |
|---|---|
| EC2 无 IAM/CloudWatch 写入权限 | 所有 IAM/CW 操作由 CFN Service Role 执行 |
| EC2 可直接执行 FIS 实验 | fis:StartExperiment/StopExperiment 等执行权限 |
| EC2 只能用指定的 Service Role 部署 | cloudformation:RoleArn 条件键限制 |
| CFN Service Role 只能创建 FIS 相关角色 | IAM 资源 ARN 限定 * |
| CFN Service Role 只能被 CloudFormation 使用 | 信任策略仅允许 cloudformation.amazonaws.com |
| CloudWatch 完全访问 | CFN Service Role 附加 cloudwatch:* |
| EKS Addon 管理 | CFN Service Role 附加 eks:CreateAddon/UpdateAddon/DeleteAddon 等 |
| IAM PassRole 到 EKS | 允许将 IRSA Role 传递给 EKS 服务 |
| IAM PassRole 到 Lambda | 允许将执行角色传递给 Lambda 服务 |
| IAM PassRole 到 FIS | 允许将执行角色传递给 FIS 服务 |
| IAM PassRole 到 SSM | 允许将执行角色传递给 SSM 服务 |
| Lambda 函数管理 | CFN Service Role 附加 lambda:CreateFunction/DeleteFunction 等 |
| CloudWatch Logs 完全访问 | CFN Service Role 附加 logs:*(FIS 实验日志记录) |
| Service-Linked Role 创建 | CFN Service Role 附加 iam:CreateServiceLinkedRole(FIS 首次运行需创建 AWSServiceRoleForFIS;AZ Power Interruption 场景需创建 AWSServiceRoleForZonalAutoshiftPracticeRun) |
五、清理¶
如需撤销此配置:
# 1. 删除 EC2 上的附加策略
aws iam delete-role-policy --role-name <EC2_ROLE_NAME> --policy-name FIS-CloudFormation-Access
aws iam detach-role-policy --role-name <EC2_ROLE_NAME> --policy-arn arn:aws:iam::aws:policy/ReadOnlyAccess
# 2. 删除 CFN Service Role
aws iam delete-role-policy --role-name CFN-ServiceRole-FIS --policy-name FISDeploymentPolicy
aws iam detach-role-policy --role-name CFN-ServiceRole-FIS --policy-arn arn:aws:iam::aws:policy/PowerUserAccess
aws iam delete-role --role-name CFN-ServiceRole-FIS