我想让用户仅在一个rds实例上具有完全访问权限 [英] I want to make users have full access only on ONE rds instance
问题描述
我尝试使用此政策:
{
"Version":"2012-10-17",
"Statement":[{
"Effect":"Allow",
"Action":"rds:*",
"Resource":"arn:aws:rds:sa-east-1:442617300818:db:databasename"
}]
}
响应为:
用户:arn:aws:iam :: 442617300818:user/wa-DB-developers不是 授权执行:rds:DescribeDBInstances(服务:AmazonRDS; 状态码:403;错误代码:AccessDenied;要求编号: 5f1e86c6-8145-11e4-9598-27c541a5a3a7)
User: arn:aws:iam::442617300818:user/wa-DB-developers is not authorized to perform: rds:DescribeDBInstances (Service: AmazonRDS; Status Code: 403; Error Code: AccessDenied; Request ID: 5f1e86c6-8145-11e4-9598-27c541a5a3a7)
谢谢!
推荐答案
可以使用模拟器允许您选择一个用户,一个动作(例如DescribeDbInstances)和一个资源,然后确定是否允许该用户对该资源调用该动作.
The simulator allows you to select a User, an Action (eg DescribeDbInstances) and a resource, and then determine whether the User is allowed to call that action on that resource.
在您的特定情况下,由于该策略仅授予特定RDS实例的权限,因此对DescribeDBIntances
的调用(未指定特定实例)将失败.
In your specific case, since the policy only grants permission on a specific RDS instance, a call to DescribeDBIntances
without specifying a specific instance will fail.
例如,在CLI中,此操作将失败:
For example, from the CLI this will fail:
aws rds describe-db-instances
但是,这将起作用:
aws rds describe-db-instances --db-instance-identifier databasename
这是因为您尚未授予查看所有数据库的权限.仅查询策略已授予访问权限的特定数据库将成功.
This is because you have not granted permission to view all databases. Querying only the specific database to which the policy has granted access will succeed.
这篇关于我想让用户仅在一个rds实例上具有完全访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!