是否可以为AWS角色信任关系指定模式 [英] Is it possible to specify a pattern for an AWS role Trust Relationship
问题描述
我想允许其他帐户中的某些角色在我的帐户中担任角色.我不想一一指定角色,因为它们容易经常更改.
I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.
我为信任关系"制定了此策略,该策略应允许任何名称以_my_suffix
结尾的角色,但不起作用(访问被拒绝):
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix
, but it doesn't work (access is denied):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
另一方面,此策略有效,但是它太开放了,因为它允许帐户A中的任何用户/角色承担我的角色:
On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
那么,有什么方法可以只允许一组角色而无需明确指定?
So, is there any way to allow only a set of roles without being explicitly specified?
推荐答案
我最近遇到了相同的用例.没有任何回应为我解决了这个问题.
I encountered the same use-case recently. None of the responses resolved this for me.
Charli,您的原始解决方案是有效的,但我需要进行一些调整才能使其正常工作,即,我需要将"ArnLike"替换为"stringLike",并将"aws:SourceArn"切换为使用"aws:PrincipalArn":>
Charli, your original solution is valid but I needed some tweaks get it to work, namely, I needed to replace 'ArnLike' with 'stringLike' and switch 'aws:SourceArn' to use 'aws:PrincipalArn':
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/test-role-name-*"
}
}
}
这篇关于是否可以为AWS角色信任关系指定模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!