个人中心
gpt4 book ai didi

amazon-web-services - 使用 CloudFormation 模板基于 IAM 的 ssh 到 EC2 实例

转载 作者:行者123 更新时间:2023-12-03 07:35:59 25 4
gpt4 key购买 nike

我正在使用 AWS CloudFormation 模板对 EC2 实例进行基于 IAM 角色的访问。

我在运行模板时收到权限被拒绝错误,并且我无法使用没有 pem 文件的用户名访问 EC2 计算机。

  Instance:
    Type: 'AWS::EC2::Instance'
    Metadata:
      'AWS::CloudFormation::Init':
        config:
          files:
            /opt/authorized_keys_command.sh:
              content: >
                #!/bin/bash -e

                if [ -z "$1" ]; then
                  exit 1
                fi
                SaveUserName="$1"
                SaveUserName=${SaveUserName//"+"/".plus."}
                SaveUserName=${SaveUserName//"="/".equal."}
                SaveUserName=${SaveUserName//","/".comma."}
                SaveUserName=${SaveUserName//"@"/".at."}
                aws iam list-ssh-public-keys --user-name "$SaveUserName" --query
                "SSHPublicKeys[?Status == 'Active'].[SSHPublicKeyId]" --output
                text | while read KeyId; do
                  aws iam get-ssh-public-key --user-name "$SaveUserName" --ssh-public-key-id "$KeyId" --encoding SSH --query "SSHPublicKey.SSHPublicKeyBody" --output text
                done
              mode: '000755'
              owner: root
              group: root
            /opt/import_users.sh:
              content: >
                #!/bin/bash
                aws iam list-users --query "Users[].[UserName]" --output text |
                while read User; do
                  SaveUserName="$User"
                  SaveUserName=${SaveUserName//"+"/".plus."}
                  SaveUserName=${SaveUserName//"="/".equal."}
                  SaveUserName=${SaveUserName//","/".comma."}
                  SaveUserName=${SaveUserName//"@"/".at."}
                  if id -u "$SaveUserName" >/dev/null 2>&1; then
                    echo "$SaveUserName exists"
                  else
                    #sudo will read each file in /etc/sudoers.d, skipping file names that end in ?~? or contain a ?.? character to avoid causing problems with package manager or editor temporary/backup files.
                    SaveUserFileName=$(echo "$SaveUserName" | tr "." " ")
                    /usr/sbin/adduser "$SaveUserName"
                    echo "$SaveUserName ALL=(ALL) NOPASSWD:ALL" > "/etc/sudoers.d/$SaveUserFileName"
                  fi
                done
              mode: '000755'     owner: root      group: root
            /etc/cron.d/import_users:
              content: |
                */10 * * * * root /opt/import_users.sh
              mode: '000644'    owner: root
              group: root
            /etc/cfn/cfn-hup.conf:
              content: !Sub |
                [main]
                stack=${AWS::StackId}
                region=${AWS::Region}
                interval=1
              mode: '000400'  owner: root        group: root
            /etc/cfn/hooks.d/cfn-auto-reloader.conf:
              content: !Sub >
                [cfn-auto-reloader-hook]
                triggers=post.update
                path=Resources.Instance.Metadata.AWS::CloudFormation::Init
                action=/opt/aws/bin/cfn-init --verbose
                --stack=${AWS::StackName}  --region=${AWS::Region} 
                --resource=Instance
                runas=root
          commands:
            a_configure_sshd_command:
              command: >-
                sed -i 's:#AuthorizedKeysCommand none:AuthorizedKeysCommand
                /opt/authorized_keys_command.sh:g' /etc/ssh/sshd_config
            b_configure_sshd_commanduser:
              command: >-
                sed -i 's:#AuthorizedKeysCommandUser
                nobody:AuthorizedKeysCommandUser nobody:g' /etc/ssh/sshd_config
            c_import_users:
              command: ./import_users.sh
              cwd: /opt
          services:
            sysvinit:
              cfn-hup:
                enabled: true
                ensureRunning: true
                files:
                  - /etc/cfn/cfn-hup.conf
                  - /etc/cfn/hooks.d/cfn-auto-reloader.conf
              sshd:
                enabled: true
                ensureRunning: true
                commands:
                  - a_configure_sshd_command
                  - b_configure_sshd_commanduser
      'AWS::CloudFormation::Designer':
        id: 85ddeee0-0623-4f50-8872-1872897c812f
    Properties:
      ImageId: !FindInMap 
        - RegionMap
        - !Ref 'AWS::Region'
        - AMI
      IamInstanceProfile: !Ref InstanceProfile
      InstanceType: t2.micro      
      UserData:
        'Fn::Base64': !Sub >
          #!/bin/bash -x
          /opt/aws/bin/cfn-init --verbose --stack=${AWS::StackName}
          --region=${AWS::Region} --resource=Instance
          /opt/aws/bin/cfn-signal --exit-code=$? --stack=${AWS::StackName}
          --region=${AWS::Region}  --resource=Instance

最佳答案

此用户数据脚本将配置 Linux 实例以使用密码身份验证。

虽然这里的密码是硬编码的,但您可以通过其他方式获取它并将其设置为适当的值。

#!
echo 'secret-password' | passwd ec2-user --stdin
sed -i 's|[#]*PasswordAuthentication no|PasswordAuthentication yes|g' /etc/ssh/sshd_config
systemctl restart sshd.service

关于amazon-web-services - 使用 CloudFormation 模板基于 IAM 的 ssh 到 EC2 实例,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/57247858/

25 4 0
文章推荐: amazon-web-services - 由于权限问题,无法从 API Gateway 调用简单 Lambda
文章推荐: r - R中的双for循环运算(带有示例)
文章推荐: c++ - 如何防止数组数据被修改?
文章推荐: amazon-web-services - 如何为临时用户分配策略?
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com