我想让用户仅在一个rds实例上具有完全访问权限 [英] I want to make users have full access only on ONE rds instance

问题描述

我尝试使用此政策:

{
  "Version":"2012-10-17",  
  "Statement":[{
    "Effect":"Allow",
    "Action":"rds:*",
    "Resource":"arn:aws:rds:sa-east-1:442617300818:db:databasename"
    }]
}

响应为:

用户:arn:aws:iam :: 442617300818:user/wa-DB-developers不是 授权执行:rds:DescribeDBInstances(服务:AmazonRDS； 状态码:403；错误代码:AccessDenied;要求编号: 5f1e86c6-8145-11e4-9598-27c541a5a3a7)

User: arn:aws:iam::442617300818:user/wa-DB-developers is not authorized to perform: rds:DescribeDBInstances (Service: AmazonRDS; Status Code: 403; Error Code: AccessDenied; Request ID: 5f1e86c6-8145-11e4-9598-27c541a5a3a7)

谢谢！

推荐答案

可以使用模拟器允许您选择一个用户，一个动作(例如DescribeDbInstances)和一个资源，然后确定是否允许该用户对该资源调用该动作.

The simulator allows you to select a User, an Action (eg DescribeDbInstances) and a resource, and then determine whether the User is allowed to call that action on that resource.

在您的特定情况下，由于该策略仅授予特定RDS实例的权限，因此对DescribeDBIntances的调用(未指定特定实例)将失败.

In your specific case, since the policy only grants permission on a specific RDS instance, a call to DescribeDBIntances without specifying a specific instance will fail.

例如，在CLI中，此操作将失败:

For example, from the CLI this will fail:

aws rds describe-db-instances

但是，这将起作用:

aws rds describe-db-instances --db-instance-identifier databasename

这是因为您尚未授予查看所有数据库的权限.仅查询策略已授予访问权限的特定数据库将成功.

This is because you have not granted permission to view all databases. Querying only the specific database to which the policy has granted access will succeed.

这篇关于我想让用户仅在一个rds实例上具有完全访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！