我正在尝试向联合用户 (ADFS + SAML + STS) 授予对 Amazon S3 存储桶的访问权限。我想给校长一个
"Principal": {
"AWS": [
"arn:aws:sts: accountid:federated-user/someuser"
]
}
和
"Resource": "arn:aws:s3:::mybucket"
但我似乎无法获得正确的访问权限。关于此的任何指示
用户在尝试访问存储桶之前是否先担任特定角色?
如果是这样,请尝试将用户和代入的角色都包含在您的存储桶策略中,即
"AWS": [
"arn:aws:sts::1234567890:assumed-role/User/[email protected]",
"arn:aws:iam::1234567890:role/User"
]
其中
User这可能是一篇旧帖子,但@alkalinecoffee的上述答案确实帮助我找到了今天的最佳答案
IAM 角色策略现在大量使用条件:
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::<s3bucket>",
"arn:aws:s3:::<s3bucket>/*"
],
"Condition": {
"ArnNotEquals": {
"aws:PrincipalArn": [
"arn:aws:iam::<AccountID>:role/aws-reserved/sso.amazonaws.com/<region>/<rolename>",
"arn:aws:iam::<AccountID>:assumed-role/<rolename>/<federateduser>"
]
}
}
}
这将阻止除
ArnNotEquals