根据角色名称授予对S3资源的访问权限 [英] Granting access to S3 resources based on role name

问题描述

IAM 政策变量非常酷，您可以创建通用策略，例如，使用户可以根据用户名访问S3存储桶中的路径，如下所示:

IAM policy variables are quite cool and let you create generic policys to, for example, give users access to paths in an S3 bucket based on their username, like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files/${aws:username}/*"
        },
        {
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files"
        }
    ]
}

我的问题是，如何使用角色(附加到EC2实例)而不是用户帐户来完成此操作?

My question is, how can this be done using roles (attached to EC2 instances) instead of user accounts?

我有许多具有唯一IAM用户帐户的应用程序服务器，这些帐户已链接到与上述类似的通用策略.这样可以隔离每个用户/应用可访问的文件，而无需创建多个策略.

I have a number of app servers with unique IAM user accounts that are linked to a generic policy similar to the one above. This isolates the files accessible by each user/app without creating multiple policies.

我想将这些服务器切换为使用角色，但是似乎没有像aws:rolename这样的等效IAM变量.

I want switch these servers to use roles instead but there doesn't seem to be an equivalent IAM variable like aws:rolename.

文档指示使用分配给以下角色的角色在EC2实例中，未设置aws:username变量，而aws:userid是[role-id]:[ec2-instance-id](也无济于事).

The docs indicate that when using a role assigned to an EC2 instance the aws:username variable isn't set and aws:userid is [role-id]:[ec2-instance-id] (which isn't helpful either).

这确实看起来应该是您应该能够做的事情.还是我走错了方向?

This really seems like something you should be able to do.. or am I coming at this the wrong way?

推荐答案

我一直在寻找相同的东西，经过大量搜索，我的结论是不可能将角色名称用作变量在IAM政策中(不过，我很乐意证明自己是错的).

I've been looking for the same and after a lot of searching my conclusion was that it is not possible to use the role name as a variable in a IAM policy (I'd love to be proven wrong though).

相反，我用name标记了我的角色，结果是这样:

Instead, I tagged my role with a name and ended up with this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files/${aws:PrincipalTag/name}/*"
        },
        {
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files"
        }
    ]
}

这篇关于根据角色名称授予对S3资源的访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！