Providing fine-grained access remote command execution for virtual machine instances in a distributed computing environment
First Claim
Patent Images
1. A computer-implemented method, comprising:
- under the control of one or more computer systems that execute instructions,receiving, from an administrator of an account provided by a computing resource service provider, a first selection of a command document, the first selection received through a first application programming interface, the command document including;
a set of commands for performing one or more operations against a virtual machine instance provided by the computing resource service provider; and
a set of parameters, the set of parameters including a parameter that specifies a virtual machine instance to which the one or more operations are to be performed;
obtaining a policy that grants permission to execute the set of commands included in the command document;
as a result of receiving, from the administrator, a request to associate an entity with the policy, causing a policy management service of the computing resource service provider to associate the entity with the policy;
receiving, from the entity through a second application programming interface, a second selection of the command document;
the second selection specifying at least one value for the set of parameters, the at least one value including an identity of the virtual machine instance;
as a result of verifying that the virtual machine instance is capable of executing the set of commands on behalf of the entity according to the policy, causing the set of commands to be executed at the virtual machine instance by providing the set of commands to a software agent running on the virtual machine instance;
receiving a response from the software agent, the response indicating an execution status of the set of commands; and
providing the status to an interface of the entity.
1 Assignment
0 Petitions
Accused Products
Abstract
A selection of a document that includes a command and a parameter is received, and a user is caused to be associated with a policy that grants permission to execute the document. A request is received, from a requestor, to execute the document, the request including a parameter value, and the requestor is determined to be the user associated with the policy. The user is validated to have access to a resource indicated by the parameter value, and the command is caused to be executed against the resource.
-
Citations
20 Claims
-
1. A computer-implemented method, comprising:
under the control of one or more computer systems that execute instructions, receiving, from an administrator of an account provided by a computing resource service provider, a first selection of a command document, the first selection received through a first application programming interface, the command document including; a set of commands for performing one or more operations against a virtual machine instance provided by the computing resource service provider; and a set of parameters, the set of parameters including a parameter that specifies a virtual machine instance to which the one or more operations are to be performed; obtaining a policy that grants permission to execute the set of commands included in the command document; as a result of receiving, from the administrator, a request to associate an entity with the policy, causing a policy management service of the computing resource service provider to associate the entity with the policy; receiving, from the entity through a second application programming interface, a second selection of the command document;
the second selection specifying at least one value for the set of parameters, the at least one value including an identity of the virtual machine instance;as a result of verifying that the virtual machine instance is capable of executing the set of commands on behalf of the entity according to the policy, causing the set of commands to be executed at the virtual machine instance by providing the set of commands to a software agent running on the virtual machine instance; receiving a response from the software agent, the response indicating an execution status of the set of commands; and providing the status to an interface of the entity. - View Dependent Claims (2, 3, 4)
-
5. A system, comprising:
-
one or more processors; and memory including instructions that, as a result of execution by the one or more processors, cause the system to; receive a selection of a command document, the command document specifying one or more operations and a set of parameters, the set of parameters specifying at least one resource; associate a user with a policy that grants permission to the user to execute the command document; receive an execution request from the user, the execution request indicating the command document and a set of parameter values associated with the set of parameters; verify that the at least one resource is able to perform the one or more operations on behalf of the user; and cause the one or more operations of the command document to attempt to be performed upon the least one resource in accordance with the set of parameters. - View Dependent Claims (6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A non-transitory computer-readable storage medium having stored thereon executable instructions that, as a result of being executed by one or more processors of a computer system, cause the computer system to at least:
-
receive a selection of a document;
the document including a command and a parameter;cause a user to be associated with a policy that grants permission to execute the document; receive a request, from a requestor, to execute the document, the request including a parameter value; determine that the requestor is the user associated with the policy; validate that the user has access to a resource indicated by the parameter value; and cause the command to be executed against the resource. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification