定义关于IAM角色的操作的两个陈述 [英] Defining two statements for the action on an IAM role
问题描述
在IAM角色中是否可以针对同一操作使用两个语句? 对于不同的动作,它可以正常工作,但是当为相同的动作创建新的语句时,它将无法正常工作.
Is it possible, to have two statements for the same action in an IAM role? For different actions, it works fine, but when creating a new statement for the same actions it's not working.
示例:
IamDeploymentRole:
Type: "AWS::IAM::Role"
Properties:
RoleName: "iam-deployment"
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
AWS:
- !Sub "arn:aws:iam::${ManagementAccountID}:root"
Action:
- "sts:AssumeRole"
Condition:
IpAddress:
X
- Effect: "Allow"
Principal:
Service:
- "some service"
Action:
- "sts:AssumeRole"
我正在尝试这样做,但这就像声明中的第二项被忽略了一样.我不知道此过滤器的工作原理. 例如,当一条语句与动作匹配但与条件不匹配时,它是否继续前进?还是首先知道不停止?
I'm trying to do it, but it's like the second item on the statement is being ignored. I don't know how exactly this filter works. For instance, when a statement matches the action but not the condition, does it moves on? or in the first know no it stops?
我尝试了很多文档,但是找不到答案.
I tried a lot of documentation, but couldn't find an answer.
条件: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition.html
警察和权限: https://docs.aws.amazon .com/IAM/latest/UserGuide/access_policies.html
推荐答案
似乎您正在定义AssumeRolePolicyDocument,这是IAM角色的信任策略.
It appears that you are defining AssumeRolePolicyDocument, which is the Trust Policy for an IAM Role.
我通过创建具有信任Amazon EC2和AWS Lambda的信任策略的IAM角色来对此进行了测试:
I tested this by creating an IAM Role with a Trust Policy that trusted both Amazon EC2 and AWS Lambda:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
然后我为该角色分配了Amazon S3权限.
I then assigned Amazon S3 permissions to the role.
测试:
- EC2 :我尝试使用此角色启动Amazon EC2实例,但是该角色未出现在下拉列表中.
- Lambda::我能够将角色成功附加到AWS Lambda函数并访问Amazon S3.
- EC2: I attempted to launch an Amazon EC2 instance with this role, but the role did not appear in the drop-down list.
- Lambda: I was able to successfully attach the role to an AWS Lambda function and access Amazon S3.
然后我交换了信任关系的顺序:
I then swapped the order of the trust relationships:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
这没有影响-Lambda正常运行,但EC2无法识别该角色.
This had no impact — Lambda worked fine, but EC2 would not recognize the role.
然后我从信任关系中删除了Lambda:
I then removed Lambda from the Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
这导致该角色从Lambda控制台中消失,而且奇怪的是,该角色也没有出现在EC2控制台中.
This caused the role to disappear from the Lambda console and, strangely, it also did not appear for use in the EC2 console.
然后,我创建了一个相同角色(仅将EC2作为受信任实体),并且工作正常.
I then created an identical role (with just EC2 as the trusted entity) and it worked fine.
底线::当信任策略"中有多个服务时,这些服务似乎确实变得混乱.即使修改了信任策略,它似乎也好像记住"了第一个服务而忽略了其他服务.因此,似乎您只能在信任策略"中指定一项服务.
Bottom line: The services do seem to get confused when there are multiple services in the Trust Policy. It is almost as if it "remembers" the first service and ignores the others, even when the trust policy is modified. Therefore, it seems that you can only specify one service in a Trust Policy.
这篇关于定义关于IAM角色的操作的两个陈述的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
