是否可以为 AWS 角色信任关系指定模式 [英] Is it possible to specify a pattern for an AWS role Trust Relationship
问题描述
我想允许来自不同帐户的某些角色代入我的帐户中的角色.我不想一一指定角色,因为它们容易频繁变化.
I want to allow some roles from a different account to assume a role in my account. I don't want to specify the roles one by one, because they're prone to change frequently.
我为信任关系提出了这个策略,它应该允许名称以 _my_suffix 结尾的任何角色,但它不起作用(访问被拒绝):
I came up with this policy for the Trust Relationship, which should allow any role which name ends with _my_suffix, but it doesn't work (access is denied):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
另一方面,此政策有效但过于开放,因为它允许帐户 A 中的任何用户/角色担任我的角色:
On the other hand, this policy works but it's too open, as it allows any user/role in account A to assume my role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
那么,有没有办法只允许一组角色而不被明确指定?
So, is there any way to allow only a set of roles without being explicitly specified?
推荐答案
我最近遇到了同样的用例.没有任何回复为我解决了这个问题.
I encountered the same use-case recently. None of the responses resolved this for me.
Charli,您的原始解决方案是有效的,但我需要进行一些调整才能使其正常工作,即,我需要将ArnLike"替换为stringLike"并将aws:SourceArn"切换为使用aws:PrincipalArn":
Charli, your original solution is valid but I needed some tweaks get it to work, namely, I needed to replace 'ArnLike' with 'stringLike' and switch 'aws:SourceArn' to use 'aws:PrincipalArn':
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/test-role-name-*"
}
}
}
这篇关于是否可以为 AWS 角色信任关系指定模式的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
