授予对具有特定“标签"的 s3 的访问权限使用 AWS IAM 角色和策略 [英] Giving access to s3 having a specific "tag" using AWS IAM roles and policy

问题描述

我想创建一个 AWS IAM 策略，这样附加的角色应该有权访问所有具有标签Team = devops"的 S3 存储桶.我尝试了以下 JSON 文件，但它不起作用.

I want to create an AWS IAM Policy, such that the attached role should have access to all S3 buckets having the Tag , "Team = devops". I tried the following JSON file, but it wont work.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "arn:aws:s3:::*",
            "Condition": {
                "StringEquals": {"s3:ResourceTag/Team": "devops"}
            }
        }
    ]
}

推荐答案

根据 可用条件键, s3:ResourceTag 不适用于 S3 条件.

As per Available Condition Keys, s3:ResourceTag is not available for S3 conditions.

可用于在 Amazon S3 访问策略中指定条件的预定义键可分类如下:

The predefined keys available for specifying conditions in an Amazon S3 access policy can be classified as follows:

如 对象标记和访问控制策略，可以使用 s3:ExistingObjectTag 条件键对每个对象进行访问控制.

As in Object Tagging and Access Control Policies, access control per object is possible with s3:ExistingObjectTag condition key.

以下权限策略授予用户读取对象的权限，但条件将读取权限限制为仅具有以下特定标签键和值的对象.

安全:公共

The following permissions policy grants a user permission to read objects, but the condition limits the read permission to only objects that have the following specific tag key and value.

security : public

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect":     "Allow",
      "Action":     "s3:GetObject",
      "Resource":    "arn:aws:s3:::examplebucket/*",
      "Principal":   "*",
      "Condition": {  "StringEquals": {"s3:ExistingObjectTag/security": "public" } }
    }
  ]
}

这篇关于授予对具有特定“标签"的 s3 的访问权限使用 AWS IAM 角色和策略的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！