根据角色名称授予对 S3 资源的访问权限 [英] Granting access to S3 resources based on role name
问题描述
IAM 策略变量 非常酷,让您创建例如,根据用户名授予用户对 S3 存储桶中路径的访问权限的通用策略,如下所示:
IAM policy variables are quite cool and let you create generic policys to, for example, give users access to paths in an S3 bucket based on their username, like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files/${aws:username}/*"
},
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files"
}
]
}
我的问题是,如何使用角色(附加到 EC2 实例)而不是用户帐户来完成此操作?
My question is, how can this be done using roles (attached to EC2 instances) instead of user accounts?
我有许多应用服务器,它们具有唯一的 IAM 用户帐户,这些帐户链接到与上述类似的通用策略.这可以隔离每个用户/应用可访问的文件,而无需创建多个策略.
I have a number of app servers with unique IAM user accounts that are linked to a generic policy similar to the one above. This isolates the files accessible by each user/app without creating multiple policies.
我想将这些服务器切换为使用角色,但似乎没有像 aws:rolename
这样的等效 IAM 变量.
I want switch these servers to use roles instead but there doesn't seem to be an equivalent IAM variable like aws:rolename
.
文档 表明当使用分配给的角色时一个 EC2 实例,aws:username
变量没有设置,aws:userid
是 [role-id]:[ec2-instance-id]
(这也没有帮助).
The docs indicate that when using a role assigned to an EC2 instance the aws:username
variable isn't set and aws:userid
is [role-id]:[ec2-instance-id]
(which isn't helpful either).
这看起来真的是你应该能够做的事情......还是我的方式不对?
This really seems like something you should be able to do.. or am I coming at this the wrong way?
推荐答案
我一直在寻找相同的,经过大量搜索后我的结论是不可能将角色名称用作变量在 IAM 政策中(尽管我很乐意被证明是错误的).
I've been looking for the same and after a lot of searching my conclusion was that it is not possible to use the role name as a variable in a IAM policy (I'd love to be proven wrong though).
相反,我用 name
标记了我的角色,结果是这样的:
Instead, I tagged my role with a name
and ended up with this:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files/${aws:PrincipalTag/name}/*"
},
{
"Action": "s3:ListBucket",
"Effect": "Allow",
"Resource": "arn:aws:s3:::fooCorp-user-files"
}
]
}
这篇关于根据角色名称授予对 S3 资源的访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!