根据角色名称授予对S3资源的访问权限 [英] Granting access to S3 resources based on role name
问题描述
IAM 政策变量非常酷,您可以创建通用策略,例如,使用户可以根据用户名访问S3存储桶中的路径,如下所示:
IAM policy variables are quite cool and let you create generic policys to, for example, give users access to paths in an S3 bucket based on their username, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files/${aws:username}/*"
},
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files"
}
]
}
我的问题是,如何使用角色(附加到EC2实例)而不是用户帐户来完成此操作?
My question is, how can this be done using roles (attached to EC2 instances) instead of user accounts?
我有许多具有唯一IAM用户帐户的应用程序服务器,这些帐户已链接到与上述类似的通用策略.这样可以隔离每个用户/应用可访问的文件,而无需创建多个策略.
I have a number of app servers with unique IAM user accounts that are linked to a generic policy similar to the one above. This isolates the files accessible by each user/app without creating multiple policies.
我想将这些服务器切换为使用角色,但是似乎没有像aws:rolename
这样的等效IAM变量.
I want switch these servers to use roles instead but there doesn't seem to be an equivalent IAM variable like aws:rolename
.
文档指示使用分配给以下角色的角色在EC2实例中,未设置aws:username
变量,而aws:userid
是[role-id]:[ec2-instance-id]
(也无济于事).
The docs indicate that when using a role assigned to an EC2 instance the aws:username
variable isn't set and aws:userid
is [role-id]:[ec2-instance-id]
(which isn't helpful either).
这确实看起来应该是您应该能够做的事情.还是我走错了方向?
This really seems like something you should be able to do.. or am I coming at this the wrong way?
推荐答案
我一直在寻找相同的东西,经过大量搜索,我的结论是不可能将角色名称用作变量在IAM政策中(不过,我很乐意证明自己是错的).
I've been looking for the same and after a lot of searching my conclusion was that it is not possible to use the role name as a variable in a IAM policy (I'd love to be proven wrong though).
相反,我用name
标记了我的角色,结果是这样:
Instead, I tagged my role with a name
and ended up with this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files/${aws:PrincipalTag/name}/*"
},
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files"
}
]
}
这篇关于根据角色名称授予对S3资源的访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!