我的 S3 存储桶策略是
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
"arn:aws:iam::035452602320:user/abc.dev",
"arn:aws:iam::035452602320:user/lmn.dev",
"arn:aws:iam::035452602320:user/pqr.dev",
]
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::abc",
"arn:aws:s3:::abc/*"
]
}
]
}
我想添加我的 SSO 用户和 IAM 用户,我尝试过
""arn:aws:sts::035452602320:assumed-role/AWSReservedSSO_Devops_New_610980ed099cb31f/upasana.ghase"
但不起作用,还尝试在政策中添加条件,例如,
"Condition": {
"StringLike": {
"aws:userId": "AWSReservedSSO_AmazonRDS-Superuser_f0d2b8a5c8e6b489:upasana.ghase"
}
}
但这对我来说也不起作用,该怎么做。
"Condition": {
"StringLike": {
"aws:userId": "AWSReservedSSO_AmazonRDS-Superuser_f0d2b8a5c8e6b489:upasana.ghase"
}
}
我尝试在策略中添加条件,但它不起作用。
以下是指定 SSO 用户的方法。这对我有用。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::my-bucket/*",
"arn:aws:s3:::my-bucket"
]
"Condition": {
"StringLike": {
"aws:userid": "<RoleId>:<SSOUserName>"
}
}
}
]
}
要获得
RoleId
:
aws iam get-role --role-name {SSO-Role-Name}
"RoleId": "ARO*******",
SSOUserName
用户的 SSO 用户。
PS:删除 AWS 账户 ID、确切的 IAM 角色名称/arn 和用户名等敏感信息。
我会采取以下方法。对于要添加的 SSO 用户
登录AWS账户
aws configure sso
完成登录,假设您使用的配置文件名称为“test-sso”
检索用户 ID:
aws sts get-caller-identity --profile test-sso
{
"UserId": "AROAUNIQUE_ROLE_ID:ROLE_SESSION_NAME",
"Account": "111111111111",
"Arn": "arn:aws:sts::111111111111:assumed-role/AWSReservedSSO_complete_role_name/ROLE_SESSION_NAME"
}
现在,仅允许该用户访问该存储桶。访问存储桶并更新策略。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": "AROAUNIQUE_ROLE_ID:ROLE_SESSION_NAME"
}
}
}
]
}
现在要添加另一个用户来访问存储桶,请像这样添加后续用户 ID:
"aws:userId": ["AROAUNIQUE_ROLE_ID:ROLE_SESSION_NAME", "AROAUNIQUE_ROLE_ID2:ROLE_SESSION_NAME2"]
当然,您可以通过以标准方式扩展策略来为不同的用户设置不同的权限。例如,仅允许其他用户对同一存储桶具有“读取”权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringNotLike": {
"aws:userId": "AROAUNIQUE_ROLE_ID:ROLE_SESSION_NAME"
}
}
},
{
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Condition": {
"StringEquals": {
"aws:userId": "AROAUNIQUE_USER_ID2:USER_SESSION_NAME2"
}
}
}
]
}