要创建 SDDC,VMware 必须向您的 AWS 帐户添加几个必需的 AWS 角色和权限。
权限声明
创建 SDDC 所需的初始权限以斜体显示。创建 SDDC 后,将从角色中移除这些权限。此角色的其他权限将保留在您的 AWS 帐户中。
重要事项:
不得更改任何其余的 AWS 角色和权限。这样做将导致 SDDC 无法运行。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:ReplaceRoute" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeVpcs", "ec2:DescribeSubnets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:DescribeStacks", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources", "cloudformation:GetTemplateSummary", "cloudformation:ListStackResources", "cloudformation:GetTemplate", "cloudformation:ListChangeSets", "cloudformation:GetStackPolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:CreatePolicy", "iam:AttachRolePolicy", "iam:GetRole", "iam:PassRole", "iam:PutRolePolicy", "lambda:CreateFunction", "lambda:InvokeFunction", "lambda:GetFunctionConfiguration", "cloudformation:DescribeStackResource", "cloudformation:DescribeStackResources" ], "Resource": "*" } ] }
要查看关联的策略权限文档,请登录到 AWS 控制台并打开
https://console.aws.amazon.com/iam/home?region=us-east-1#/policies/arn:aws:iam::aws:policy/AmazonVPCCrossAccountNetworkInterfaceOperations$jsonEditor.
下面是该策略的摘要描述。
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DescribeRouteTables", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:ReplaceRoute" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeNetworkInterfaces", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:CreateNetworkInterfacePermission", "ec2:DeleteNetworkInterfacePermission", "ec2:DescribeNetworkInterfacePermissions", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeAvailabilityZones", "ec2:DescribeVpcs", "ec2:DescribeSubnets" ], "Resource": [ "*" ] }, { "Effect": "Allow", "Action": [ "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses" ], "Resource": [ "*" ] } ] }