Appearance
访问 Kiro console 和管理订阅需要通过 AWS IAM 授予权限。管理员需要创建包含必要权限的 identity-based policy 并附加到 IAM 身份上。Kiro 订阅时会自动创建两个 service-linked roles:AWSServiceRoleForUserSubscriptions 和 AWSServiceRoleForAmazonQDeveloper,分别用于同步订阅和计费监控。
Kiro Enterprise IAM:身份与访问管理权限配置
要访问 Kiro console 并完成订阅管理,你需要通过 AWS Identity and Access Management(IAM)授予相应权限。AWS IAM 是用于安全控制 AWS 资源访问的标准服务,免费提供。
具体做法是创建一个 identity-based policy,包含必要的权限,然后把它附加到负责配置 Kiro 订阅的 IAM 身份(user、group 或 role)上。
此外,Kiro 使用 AWS IAM service-linked roles。Service-linked role 是一种特殊的 IAM role,直接与 Kiro 绑定,订阅时会自动创建,无需手动配置。
Identity-based policy
Identity-based policy 是 JSON 格式的权限文档,可以附加到 IAM user、user group 或 role 上,控制他们能对哪些资源执行哪些操作。
示例:允许管理员配置 Kiro 并订阅用户
以下 policy 授予管理员在 Kiro console 中执行操作所需的权限,包括:订阅用户、配置 IAM Identity Center 集成、管理组织设置,以及创建和配置 customer managed KMS keys。
json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sso:ListInstances",
"sso:CreateInstance",
"sso:CreateApplication",
"sso:PutApplicationAuthenticationMethod",
"sso:PutApplicationGrant",
"sso:PutApplicationAssignmentConfiguration",
"sso:ListApplications",
"sso:GetSharedSsoConfiguration",
"sso:DescribeInstance",
"sso:PutApplicationAccessScope",
"sso:DescribeApplication",
"sso:DeleteApplication",
"sso:CreateApplicationAssignment",
"sso:DeleteApplicationAssignment",
"sso:UpdateApplication",
"sso:DescribeRegisteredRegions",
"sso:GetSSOStatus"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": ["iam:ListRoles"],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": ["identitystore:DescribeUser"],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"sso-directory:GetUserPoolInfo",
"sso-directory:DescribeUser",
"sso-directory:DescribeUsers",
"sso-directory:DescribeGroups",
"sso-directory:SearchGroups",
"sso-directory:SearchUsers",
"sso-directory:DescribeDirectory"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"signin:ListTrustedIdentityPropagationApplicationsForConsole",
"signin:CreateTrustedIdentityPropagationApplicationForConsole"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"user-subscriptions:ListClaims",
"user-subscriptions:ListApplicationClaims",
"user-subscriptions:ListUserSubscriptions",
"user-subscriptions:CreateClaim",
"user-subscriptions:DeleteClaim",
"user-subscriptions:UpdateClaim",
"user-subscriptions:SetOverageConfig"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:ListAWSServiceAccessForOrganization",
"organizations:DisableAWSServiceAccess",
"organizations:EnableAWSServiceAccess"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"kms:ListAliases",
"kms:CreateGrant",
"kms:Encrypt",
"kms:Decrypt",
"kms:GenerateDataKey*",
"kms:RetireGrant",
"kms:DescribeKey"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": ["codeguru-security:UpdateAccountConfiguration"],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": ["iam:CreateServiceLinkedRole"],
"Resource": [
"arn:aws:iam::*:role/aws-service-role/q.amazonaws.com/AWSServiceRoleForAmazonQDeveloper"
]
},
{
"Effect": "Allow",
"Action": [
"codewhisperer:UpdateProfile",
"codewhisperer:ListProfiles",
"codewhisperer:TagResource",
"codewhisperer:UnTagResource",
"codewhisperer:ListTagsForResource",
"codewhisperer:CreateProfile"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"q:ListDashboardMetrics",
"q:CreateAssignment",
"q:DeleteAssignment",
"q:UpdateAssignment"
],
"Resource": ["*"]
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:ListMetrics"
],
"Resource": ["*"]
}
]
}Service-linked roles
Service-linked role 是与 Kiro 直接绑定的特殊 IAM role,由 AWS 预定义,包含 Kiro 调用其他 AWS 服务所需的全部权限。订阅 Kiro Enterprise 时会自动创建,无需手动添加权限。
你不能修改这两个 role 的名称或权限策略,但可以修改描述。删除 service-linked role 前,必须先删除依赖它的资源。
Kiro Enterprise 订阅时会自动创建以下两个 service-linked roles:
- AWSServiceRoleForUserSubscriptions
- AWSServiceRoleForAmazonQDeveloper
AWSServiceRoleForUserSubscriptions
该 role 授权 Kiro 访问你的 IAM Identity Center 资源,以便自动更新订阅。
信任服务:user-subscriptions.amazonaws.com
主要权限:
| 操作 | 资源 |
|---|---|
identitystore:DescribeGroup | * |
identitystore:DescribeUser | * |
identitystore:IsMemberInGroups | * |
identitystore:ListGroupMemberships | * |
organizations:DescribeOrganization | * |
sso:DescribeApplication | * |
sso:DescribeInstance | * |
sso:ListInstances | * |
sso-directory:DescribeUser | * |
AWSServiceRoleForAmazonQDeveloper
该 role 授权 Kiro 访问账户数据用于计费计算、在 Amazon CodeGuru 中创建和访问安全报告,以及向 CloudWatch 发送指标数据。
信任服务:q.amazonaws.com
主要权限:
| 操作 | 资源 |
|---|---|
cloudwatch:PutMetricData | AWS/Q CloudWatch namespace |
管理 service-linked roles
在 AWS Management Console 中创建 Kiro profile 时,Kiro 会自动创建 service-linked roles。如果你删除了这些 role 并需要重新创建,可以通过 IAM console 或 AWS CLI 使用 q.amazonaws.com service name 创建。
支持的 AWS 区域
以下区域支持 Kiro service-linked roles:
| 区域名称 | 区域标识 |
|---|---|
| US East (N. Virginia) | us-east-1 |
| Europe (Frankfurt) | eu-central-1 |
常见问题
Q: 我需要手动创建 service-linked roles 吗?
A: 不需要。在 AWS Management Console 中创建 Kiro profile 时,Kiro 会自动创建。如果误删了,可以通过 IAM console 重新创建。
Q: 可以修改 service-linked role 的权限吗?
A: 不可以。Service-linked roles 由 AWS 预定义,权限策略不能修改,但可以修改 role 的描述。
Q: 删除 service-linked role 有什么前提条件?
A: 必须先清理依赖该 role 的所有 Kiro 资源,否则删除会失败,防止误操作导致资源失去访问权限。