为SAML的IAM角色创建策略 [英] Creating Policy for SAML's IAM role
问题描述
我正在尝试为联盟用户的IAM角色创建策略(通过SAML提供程序进行身份验证).我正在追踪为SAML 2.0联盟创建角色(控制台) -AWS Identity and Access Management :
I'm trying to create a policy for an IAM role for my federated users (authenticating through my SAML provider). I'm following Creating a Role for SAML 2.0 Federation (Console) - AWS Identity and Access Management:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRoleWithSAML",
"Principal": {"Federated": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:saml-provider/PROVIDER-NAME"},
"Condition": {"StringEquals": {"SAML:aud": "https://signin.aws.amazon.com/saml"}}
}
}
但是我收到以下错误消息:
But I get following error:
This policy contains the following error: Has prohibited field Principal For more information about the IAM policy grammar, see AWS IAM Policies
我尝试使用Google进行搜索,但没有成功. AWS信任策略已禁止字段Principal-Stack Overflow 的答案也没有帮助.有人可以告诉我如何为我的SAML提供者创建策略和角色吗?
I tried to Google it but no success. The answer on AWS Trust Policy Has prohibited field Principal - Stack Overflow wasn't helpful either. Can someone tell me how can I create policy and role for my SAML provider?
推荐答案
问题已解决.该文档过时且具有误导性.如果您通过IAM控制台为SAML提供程序创建角色,则会自动在其中建立信任关系.因此,只需要添加权限即可.
Problem solved. The documentation is old and misleading. If you create a role for SAML provider via IAM Console, automatically it has trust relationship built in there. So, just permissions need to be added.
这篇关于为SAML的IAM角色创建策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!