创建 IAM 用户概要文件
在 AWS 中部署 IBM Spectrum Virtualize for Public Cloud 软件需要安装程序用户概要文件。其包含与购买、创建实例和删除配置相关资源相关的操作的更多权限。必须先在 AWS IAM 管理控制台中创建安装程序用户概要文件,然后在 AWS Marketplace 中运行安装模板。如果未分配权限,那么成功安装 IBM Spectrum Virtualize for Public Cloud 软件所需的操作将失败。
您可以使用 AWS 缺省管理员概要文件以安装 IBM Spectrum Virtualize for Public Cloud 软件,或者可以创建一个安装程序用户概要文件,其中只包含部署该软件所需的权限。有关更多信息,请参阅在 AWS 上规划 IAM 用户概要文件和权限。
要创建安装程序用户概要文件,请完成以下步骤:
- 使用 AWS 缺省管理员概要文件登录到 AWS 管理控制台。
- 选择 。
- 选择。
- 选择 JSON 选项卡并添加以下 JSON 内容:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:CreateDhcpOptions", "ec2:AuthorizeSecurityGroupIngress", "ec2:ModifyVolumeAttribute", "aws-marketplace:ListBuilds", "ec2:DeleteVpcEndpoints", "ec2:CreateKeyPair", "secretsmanager:DeleteSecret", "ec2:AttachInternetGateway", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "ec2:DeleteRouteTable", "cloudformation:DescribeStackEvents", "ec2:StartInstances", "ec2:CreateNetworkInterfacePermission", "ec2:RevokeSecurityGroupEgress", "ec2:CreateRoute", "ec2:CreateInternetGateway", "cloudformation:UpdateStack", "ec2:DeleteInternetGateway", "sns:Subscribe", "s3:DeleteObject", "cloudformation:ListStackResources", "iam:GetRole", "ec2:CreateTags", "ec2:ModifyNetworkInterfaceAttribute", "sns:CreateTopic", "iam:DeleteRole", "ec2:RunInstances", "ec2:StopInstances", "ec2:AssignPrivateIpAddresses", "ec2:DisassociateRouteTable", "ec2:CreateVolume", "ec2:RevokeSecurityGroupIngress", "ec2:CreateNetworkInterface", "s3:PutObject", "cloudformation:GetStackPolicy", "ec2:CreateDefaultVpc", "cloudformation:DeleteStack", "ec2:DeleteDhcpOptions", "ec2:DeleteNatGateway", "ec2:CreateSubnet", "iam:GetRolePolicy", "secretsmanager:TagResource", "cloudformation:CreateUploadBucket", "iam:CreateInstanceProfile", "ec2:AttachVolume", "ec2:DisassociateAddress", "aws-marketplace:Unsubscribe", "ec2:CreateNatGateway", "ec2:CreateVpc", "cloudformation:UpdateTerminationProtection", "sns:ListTopics", "iam:PassRole", "ec2:CreateDefaultSubnet", "iam:DeleteRolePolicy", "s3:DeleteBucket", "iam:DeleteInstanceProfile", "ec2:ReleaseAddress", "ec2:RebootInstances", "aws-marketplace:ViewSubscriptions", "ec2:AssociateDhcpOptions", "ec2:ModifyInstancePlacement", "sns:GetTopicAttributes", "iam:ListRoles", "ec2:Describe*", "s3:ListAllMyBuckets", "ec2:DeleteSubnet", "iam:RemoveRoleFromInstanceProfile", "iam:CreateRole", "s3:CreateBucket", "sns:Unsubscribe", "ec2:AssociateRouteTable", "ec2:DeleteVolume", "ec2:CreatePlacementGroup", "ssm:DescribeParameters", "ec2:Get*", "ec2:DetachVolume", "cloudformation:DescribeStackResources", "ec2:CreateRouteTable", "ec2:DeleteNetworkInterface", "ssm:GetParameters", "ec2:DetachInternetGateway", "cloudformation:DescribeStacks", "s3:GetObject", "cloudformation:GetTemplate", "ec2:DeleteVpc", "ec2:AssociateAddress", "ec2:DeleteKeyPair", "ec2:DeleteTags", "sns:DeleteTopic", "secretsmanager:CreateSecret", "aws-marketplace:Subscribe", "ec2:DeleteNetworkInterfacePermission", "ec2:CreateSecurityGroup", "ec2:ModifyVpcAttribute", "ec2:AuthorizeSecurityGroupEgress", "cloudformation:ListStacks", "ec2:TerminateInstances", "ec2:DetachNetworkInterface", "ec2:DeletePlacementGroup", "iam:GetInstanceProfile", "ec2:DeleteRoute", "iam:ListInstanceProfiles", "cloudformation:GetTemplateSummary", "ec2:AllocateAddress", "aws-marketplace:StartBuild", "cloudformation:CreateStack", "ec2:CreateVpcEndpoint", "ec2:DeleteSecurityGroup", "ec2:AttachNetworkInterface", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet," "cloudformation:DescribeChangeSet", "cloudformation:SetStackPolicy" ], "Resource": "*" } ] } - 单击复查策略并添加策略名称,例如,installerpolicy。单击创建策略。
- 选择。
- 输入名称和密码,并确保针对访问类型选择 AWS 管理控制台访问。您也可以选择编程访问。单击下一步:许可权。
- 选择直接连接现有策略,然后选择在步骤 5 中创建的新策略。单击下一步:标记。
- 确保添加的标记包含安装程序用户概要文件中的电子邮件地址。
可根据自己的 IT 安全策略定义其他用户概要文件。建议将这些用户的权限限制为在日常工作期间完成的操作。在 EC2 实例上安装 IBM Spectrum Virtualize for Public Cloud 软件要创建具有有限许可权的用户概要文件,请使用安装程序用户概要文件指示信息,但是在创建定制策略时使用以下 JSON 内容:
{
"Version": "2020-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"iam:GetRole",
"ec2:Describe*",
"ec2:StartInstances",
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:ListPolicies",
"ec2:StopInstances",
"iam:ListRolePolicies",
"iam:ListInstanceProfiles",
"iam:GetRolePolicy",
"ec2:Get*",
],
"Resource": "*"
}
]
}