AWS IAM-使用条件 [英] AWS IAM -- Using conditionals
问题描述
我是AWS中IAM的新手。而且,我希望将针对各种用户的查询限制为仅主键与认知ID匹配的表条目。为此,我创建了策略:
I am new to IAM in AWS. And, i desire to restrict the Query for various users to only table entries where primary key matches the cognito id. To achieve this, I created the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToOnlyItemsMatchingUserID",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXX:table/User"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
但是,当我查询表u如下所示唱歌邮递员:
But, when i am querying the table using Postman as shown below:
我遇到以下错误:
"__type": "com.amazon.coral.service#AccessDeniedException",
"Message": "User: arn:aws:sts::XXXXXXXXXXXXX:assumed-role/Achintest/BackplaneAssumeRoleSession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:XXXXXXXXXXXXX:table/User"
有人可以让我知道我在做什么错误吗?
Can someone please let me know what mistake i am doing?
========更新========
======== UPDATE ========
我尝试使用策略sim,但我无法理解为什么允许如下图所示的无LeadingKey的查询。
I tried using policy sim, and i am unable to understand why the Query without LeadingKey as shown in pic below is allowed.
,当我提供前导密钥时,它说被拒绝。参见以下图片:
and when i provide the leading key, it says denied. See below pic:
推荐答案
该错误消息具有误导性。 (我有同样的问题)
我创建了一个表,设置了一个策略,并且可以执行查询和扫描。
该表仍然为空,但查询和扫描返回了合理的0条结果行。
The error message is misleading. (I had the same problem) I created a table, set up a policy and could do "query" and "scan". The table was still empty but query and scan returned reasonably 0 result lines.
然后我想要细粒度的访问控制并添加
Then I wanted fine grained access control and added
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${aws:userid}"
]
}
}
从这时开始,AWS报告了 AccessDeniedException ....用户...无权执行:dynamodb:查询资源...
from this point on AWS reported "AccessDeniedException" .... User ... is not authorized to perform: dynamodb:Query on resource...
无论如何,我还是继续用数据填充表-等等-现在可以了。
因此,如果不希望出现错误消息,则该错误消息可能很有意义空结果集。
I continued filling the table with data anyway - et voilà - now it works. So the error message might make sense if one doesn't expect an empty resultset.
这篇关于AWS IAM-使用条件的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!