我正在尝试创建一项策略,授予对 CodeArtifact 上的一个 python 包的只读访问权限。
这是我到目前为止所得到的,但它似乎授予对存储库中所有包的访问权限(而不仅仅是
myPackage1
):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetServiceBearerToken"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"codeartifact:GetAuthorizationToken"
],
"Resource": [
"arn:aws:codeartifact:eu-central-1:REDACTED:domain/REDACTED_DOMAIN"
]
},
{
"Effect": "Allow",
"Action": [
"codeartifact:ReadFromRepository"
],
"Resource": [
"arn:aws:codeartifact:eu-central-1:REDACTED:repository/REDACTED_DOMAIN/REDACTED_REPO"
]
},
{
"Effect": "Allow",
"Action": [
"codeartifact:DescribePackage",
"codeartifact:GetPackageVersionReadme",
"codeartifact:GetPackageVersionAsset"
],
"Resource": [
"arn:aws:codeartifact:eu-central-1:REDACTED:package/REDACTED_DOMAIN/REDACTED_REPO/pypi/*/myPackage1"
]
}
]
}
我需要更改什么才能限制仅访问一个包?
您需要使用空字符串而不是包组的通配符。
所以,而不是
arn:aws:codeartifact:eu-central-1:REDACTED:package/REDACTED_DOMAIN/REDACTED_REPO/pypi/*/myPackage1
,
尝试
arn:aws:codeartifact:eu-central-1:REDACTED:package/REDACTED_DOMAIN/REDACTED_REPO/pypi//myPackage1
对于没有命名空间的包或包格式(Python 和 NuGet),包组不得包含命名空间。这些包组的包组定义包含空白命名空间部分。例如,名为 requests 的 Python 包的路径为 /python//requests。