创建角色
#语法:
radosgw-admin role create --role-name={role-name} [--path=="{path to the role}"] [--assume-role-policy-doc={trust-policy-document}]
#实例:
[ceph@ceph03 ~]$ radosgw-admin role create --role-name=S3Access1 --path=/application_abc/component_xyz/ --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
{
"RoleId": "8220c880-4497-46c1-a49f-84ed3fd13a4f",
"RoleName": "S3Access1",
"Path": "/application_abc/component_xyz/",
"Arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
"CreateDate": "2020-05-26T08:26:02.894Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}删除角色
radosgw-admin role rm --role-name={role-name}获取角色
radosgw-admin role get --role-name={role-name}列出角色
#列出具有指定路径前缀的角色,语法:
radosgw-admin role list [--path-prefix ={path prefix}]
#实例:
[ceph@ceph03 ~]$ radosgw-admin role list --path-prefix="/application"
[
{
"RoleId": "8220c880-4497-46c1-a49f-84ed3fd13a4f",
"RoleName": "S3Access1",
"Path": "/application_abc/component_xyz/",
"Arn": "arn:aws:iam:::role/application_abc/component_xyz/S3Access1",
"CreateDate": "2020-05-26T08:26:02.894Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
},
{
"RoleId": "be6291a0-898b-4055-b5ca-06c07527c085",
"RoleName": "S3Access2",
"Path": "/application/component/",
"Arn": "arn:aws:iam:::role/application/component/S3Access2",
"CreateDate": "2020-05-26T08:28:21.176Z",
"MaxSessionDuration": 3600,
"AssumeRolePolicyDocument": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Principal\":{\"AWS\":[\"arn:aws:iam:::user/TESTER\"]},\"Action\":[\"sts:AssumeRole\"]}]}"
}
]更新角色的策略文档
#语法:
radosgw-admin role modify --role-name={role-name} --assume-role-policy-doc={trust-policy-document}
#实例:
[ceph@ceph03 ~]$ radosgw-admin role modify --role-name=S3Access1 --assume-role-policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Principal\":\{\"AWS\":\[\"arn:aws:iam:::user/TESTER2\"\]\},\"Action\":\[\"sts:AssumeRole\"\]\}\]\}
Assume role policy document updated successfully for role: S3Access添加/更新附加到角色的策略
#语法:
radosgw-admin role policy put --role-name={role-name} --policy-name={policy-name} --policy-doc={permission-policy-doc}
#实例:
[ceph@ceph03 ~]$ radosgw-admin role-policy put --role-name=S3Access1 --policy-name=Policy1 --policy-doc=\{\"Version\":\"2012-10-17\",\"Statement\":\[\{\"Effect\":\"Allow\",\"Action\":\[\"s3:*\"\],\"Resource\":\"arn:aws:s3:::example_bucket\"\}\]\}
Permission policy attached successfully列出附加到角色的权限策略名称
[ceph@ceph03 ~]$ radosgw-admin role-policy list --role-name=S3Access1
[
"Policy1"
]获取附加到角色的权限策略
[ceph@ceph03 ~]$ radosgw-admin role-policy get --role-name=S3Access1 --policy-name=Policy1
{
"Permission policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":[\"s3:*\"],\"Resource\":\"arn:aws:s3:::example_bucket\"}]}"
}删除附加到角色的策略
radosgw-admin role policy rm --role-name={role-name} --policy-name={policy-name}REST API操纵角色
除了上面的radosgw-admin命令之外,还可以使用以下REST API来操纵角色。有关请求参数及其说明,请参阅上面的部分。
为了调用REST管理API,需要创建一个具有管理员权限的用户。
radosgw-admin --uid TESTER --display-name "TestUser" --access_key TESTER --secret test123 user create
radosgw-admin caps add --uid="TESTER" --caps="roles=*"文档更新时间: 2020-05-26 16:47 作者:子木
