建立 IAM 使用者設定檔
在 AWS 中部署 IBM Spectrum Virtualize for Public Cloud 軟體需要安裝程式使用者設定檔。它包括對與採購、建立實例以及刪除與配置相關的資源相關的動作的更多許可權。在 AWS Marketplace 內執行安裝範本之前,必須先在 AWS IAM 管理主控台中建立安裝程式使用者設定檔。如果未指派許可權,則順利安裝 IBM Spectrum Virtualize for Public Cloud 軟體所需的動作會失敗。
您可以使用 AWS 預設管理者設定檔來安裝 IBM Spectrum Virtualize for Public Cloud 軟體,也可以建立僅包含部署軟體所需的許可權的安裝程式使用者設定檔。如需相關資訊,請參閱 在 AWS 上規劃 IAM 使用者設定檔及許可權。
如果要建立安裝程式使用者設定檔,請完成下列步驟:
- 使用 AWS 預設管理者設定檔登入 AWS 管理主控台。
- 選取 。
- 選取。
- 選取 JSON 標籤,然後新增下列 JSON 內容:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "ec2:CreateDhcpOptions", "ec2:AuthorizeSecurityGroupIngress", "ec2:ModifyVolumeAttribute", "aws-marketplace:ListBuilds", "ec2:DeleteVpcEndpoints", "ec2:CreateKeyPair", "secretsmanager:DeleteSecret", "ec2:AttachInternetGateway", "iam:PutRolePolicy", "iam:AddRoleToInstanceProfile", "ec2:DeleteRouteTable", "cloudformation:DescribeStackEvents", "ec2:StartInstances", "ec2:CreateNetworkInterfacePermission", "ec2:RevokeSecurityGroupEgress", "ec2:CreateRoute", "ec2:CreateInternetGateway", "cloudformation:UpdateStack", "ec2:DeleteInternetGateway", "sns:Subscribe", "s3:DeleteObject", "cloudformation:ListStackResources", "iam:GetRole", "ec2:CreateTags", "ec2:ModifyNetworkInterfaceAttribute", "sns:CreateTopic", "iam:DeleteRole", "ec2:RunInstances", "ec2:StopInstances", "ec2:AssignPrivateIpAddresses", "ec2:DisassociateRouteTable", "ec2:CreateVolume", "ec2:RevokeSecurityGroupIngress", "ec2:CreateNetworkInterface", "s3:PutObject", "cloudformation:GetStackPolicy", "ec2:CreateDefaultVpc", "cloudformation:DeleteStack", "ec2:DeleteDhcpOptions", "ec2:DeleteNatGateway", "ec2:CreateSubnet", "iam:GetRolePolicy", "secretsmanager:TagResource", "cloudformation:CreateUploadBucket", "iam:CreateInstanceProfile", "ec2:AttachVolume", "ec2:DisassociateAddress", "aws-marketplace:Unsubscribe", "ec2:CreateNatGateway", "ec2:CreateVpc", "cloudformation:UpdateTerminationProtection", "sns:ListTopics", "iam:PassRole", "ec2:CreateDefaultSubnet", "iam:DeleteRolePolicy", "s3:DeleteBucket", "iam:DeleteInstanceProfile", "ec2:ReleaseAddress", "ec2:RebootInstances", "aws-marketplace:ViewSubscriptions", "ec2:AssociateDhcpOptions", "ec2:ModifyInstancePlacement", "sns:GetTopicAttributes", "iam:ListRoles", "ec2:Describe*", "s3:ListAllMyBuckets", "ec2:DeleteSubnet", "iam:RemoveRoleFromInstanceProfile", "iam:CreateRole", "s3:CreateBucket", "sns:Unsubscribe", "ec2:AssociateRouteTable", "ec2:DeleteVolume", "ec2:CreatePlacementGroup", "ssm:DescribeParameters", "ec2:Get*", "ec2:DetachVolume", "cloudformation:DescribeStackResources", "ec2:CreateRouteTable", "ec2:DeleteNetworkInterface", "ssm:GetParameters", "ec2:DetachInternetGateway", "cloudformation:DescribeStacks", "s3:GetObject", "cloudformation:GetTemplate", "ec2:DeleteVpc", "ec2:AssociateAddress", "ec2:DeleteKeyPair", "ec2:DeleteTags", "sns:DeleteTopic", "secretsmanager:CreateSecret", "aws-marketplace:Subscribe", "ec2:DeleteNetworkInterfacePermission", "ec2:CreateSecurityGroup", "ec2:ModifyVpcAttribute", "ec2:AuthorizeSecurityGroupEgress", "cloudformation:ListStacks", "ec2:TerminateInstances", "ec2:DetachNetworkInterface", "ec2:DeletePlacementGroup", "iam:GetInstanceProfile", "ec2:DeleteRoute", "iam:ListInstanceProfiles", "cloudformation:GetTemplateSummary", "ec2:AllocateAddress", "aws-marketplace:StartBuild", "cloudformation:CreateStack", "ec2:CreateVpcEndpoint", "ec2:DeleteSecurityGroup", "ec2:AttachNetworkInterface", "cloudformation:CreateChangeSet", "cloudformation:DeleteChangeSet," "cloudformation:DescribeChangeSet", "cloudformation:SetStackPolicy" ], "Resource": "*" } ] } - 按一下檢閱原則,然後為原則新增名稱,如 installerpolicy。按一下建立原則。
- 選取。
- 輸入姓名和密碼,並確保對存取類型選取 AWS 管理主控台存取。您可以選擇性地選取程式化存取。按一下下一步:許可權。
- 選取直接附加現有的原則,然後選取您在步驟 5 中建立的新原則。按一下下一步:標籤。
- 確保您新增的標籤包含安裝程式使用者設定檔的電子郵件位址。
您可以根據自己的 IT 安全原則定義其他使用者設定檔。建議將這些使用者的許可權限制為使用者在每日工作過程中完成的動作。在 EC2 實例上安裝 IBM Spectrum Virtualize for Public Cloud 軟體時不需要這些使用者設定檔。如果要使用有限的許可權建立使用者設定檔,請使用安裝程式使用者設定檔指示,但在建立自訂原則時使用下列 JSON 內容:
{
"Version": "2020-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"iam:GetRole",
"ec2:Describe*",
"ec2:StartInstances",
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:ListPolicies",
"ec2:StopInstances",
"iam:ListRolePolicies",
"iam:ListInstanceProfiles",
"iam:GetRolePolicy",
"ec2:Get*",
],
"Resource": "*"
}
]
}