dynamodb的细粒度访问策略中可以使用通配符(*)吗? [英] Can wildcard character (*) be used in the fine-grained access policy for dynamodb?
问题描述
我有一个Amazon dynamodb表,其分区键由用户的ID(来自Facebook或Google)和其他字符组成.我知道可以使用通配符来指定细粒度访问策略的属性,但是在dynamodb:LeadingKeys
工作中我无法获得通配符.
I have a Amazon dynamodb table with partition key composed of the user's id (from facebook or google) and other characters. I know wildcard can be used to specify the properties of a fine-grained access policy, but I couldn't get the wildcard in the dynamodb:LeadingKeys
working.
这是工作政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"g_${accounts.google.com:sub}"
]
}
}
}
]
}
但是,这不起作用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"*_${accounts.google.com:sub}"
]
}
}
}
]
}
推荐答案
我找到了解决方案.因此,不要使用ForAllValues:StringEquals
,而要使用ForAllValues:StringLike
.
I found the solution to this. So instead of using ForAllValues:StringEquals
, use ForAllValues:StringLike
.
工作政策如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"*_${accounts.google.com:sub}"
]
}
}
}
]
}
Took me a while to find this reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolicyLanguage_ConditionType
这篇关于dynamodb的细粒度访问策略中可以使用通配符(*)吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!