AWS IAM-使用条件 [英] AWS IAM -- Using conditionals

问题描述

我是AWS中IAM的新手。而且，我希望将针对各种用户的查询限制为仅主键与认知ID匹配的表条目。为此，我创建了策略：

I am new to IAM in AWS. And, i desire to restrict the Query for various users to only table entries where primary key matches the cognito id. To achieve this, I created the policy:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "AllowAccessToOnlyItemsMatchingUserID",
        "Effect": "Allow",
        "Action": [
            "dynamodb:GetItem",
            "dynamodb:BatchGetItem",
            "dynamodb:Query",
            "dynamodb:PutItem",
            "dynamodb:UpdateItem",
            "dynamodb:DeleteItem",
            "dynamodb:BatchWriteItem"
        ],
        "Resource": [
            "arn:aws:dynamodb:us-east-1:XXXXXXXXXXX:table/User"
        ],
        "Condition": {
            "ForAllValues:StringEquals": {
                "dynamodb:LeadingKeys": [
                    "${cognito-identity.amazonaws.com:sub}"
                ]
            }
        }
    }
]

}

但是，当我查询表u如下所示唱歌邮递员：

But, when i am querying the table using Postman as shown below:

我遇到以下错误：

"__type": "com.amazon.coral.service#AccessDeniedException",


"Message": "User: arn:aws:sts::XXXXXXXXXXXXX:assumed-role/Achintest/BackplaneAssumeRoleSession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:XXXXXXXXXXXXX:table/User"

有人可以让我知道我在做什么错误吗？

Can someone please let me know what mistake i am doing?

========更新========

======== UPDATE ========

我尝试使用策略sim，但我无法理解为什么允许如下图所示的无LeadingKey的查询。

I tried using policy sim, and i am unable to understand why the Query without LeadingKey as shown in pic below is allowed.

，当我提供前导密钥时，它说被拒绝。参见以下图片：

and when i provide the leading key, it says denied. See below pic:

推荐答案

该错误消息具有误导性。 （我有同样的问题）
我创建了一个表，设置了一个策略，并且可以执行查询和扫描。
该表仍然为空，但查询和扫描返回了合理的0条结果行。

The error message is misleading. (I had the same problem) I created a table, set up a policy and could do "query" and "scan". The table was still empty but query and scan returned reasonably 0 result lines.

然后我想要细粒度的访问控制并添加

Then I wanted fine grained access control and added

"Condition": {
    "ForAllValues:StringEquals": {
        "dynamodb:LeadingKeys": [
             "${aws:userid}"
        ]
    }
}

从这时开始，AWS报告了 AccessDeniedException ....用户...无权执行：dynamodb：查询资源...

from this point on AWS reported "AccessDeniedException" .... User ... is not authorized to perform: dynamodb:Query on resource...

无论如何，我还是继续用数据填充表-等等-现在可以了。
因此，如果不希望出现错误消息，则该错误消息可能很有意义空结果集。

I continued filling the table with data anyway - et voilà - now it works. So the error message might make sense if one doesn't expect an empty resultset.

这篇关于AWS IAM-使用条件的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！