根据角色名称授予对 S3 资源的访问权限 [英] Granting access to S3 resources based on role name

问题描述

IAM 策略变量 非常酷，让您创建例如，根据用户名授予用户对 S3 存储桶中路径的访问权限的通用策略，如下所示:

IAM policy variables are quite cool and let you create generic policys to, for example, give users access to paths in an S3 bucket based on their username, like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files/${aws:username}/*"
        },
        {
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files"
        }
    ]
}

我的问题是，如何使用角色(附加到 EC2 实例)而不是用户帐户来完成此操作?

My question is, how can this be done using roles (attached to EC2 instances) instead of user accounts?

我有许多应用服务器，它们具有唯一的 IAM 用户帐户，这些帐户链接到与上述类似的通用策略.这可以隔离每个用户/应用可访问的文件，而无需创建多个策略.

I have a number of app servers with unique IAM user accounts that are linked to a generic policy similar to the one above. This isolates the files accessible by each user/app without creating multiple policies.

我想将这些服务器切换为使用角色，但似乎没有像 aws:rolename 这样的等效 IAM 变量.

I want switch these servers to use roles instead but there doesn't seem to be an equivalent IAM variable like aws:rolename.

文档 表明当使用分配给的角色时一个 EC2 实例，aws:username 变量没有设置，aws:userid 是 [role-id]:[ec2-instance-id](这也没有帮助).

The docs indicate that when using a role assigned to an EC2 instance the aws:username variable isn't set and aws:userid is [role-id]:[ec2-instance-id] (which isn't helpful either).

这看起来真的是你应该能够做的事情......还是我的方式不对?

This really seems like something you should be able to do.. or am I coming at this the wrong way?

推荐答案

我一直在寻找相同的，经过大量搜索后我的结论是不可能将角色名称用作变量在 IAM 政策中(尽管我很乐意被证明是错误的).

I've been looking for the same and after a lot of searching my conclusion was that it is not possible to use the role name as a variable in a IAM policy (I'd love to be proven wrong though).

相反，我用 name 标记了我的角色，结果是这样的:

Instead, I tagged my role with a name and ended up with this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files/${aws:PrincipalTag/name}/*"
        },
        {
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files"
        }
    ]
}

这篇关于根据角色名称授予对 S3 资源的访问权限的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！