根据命名空间或标签亚马逊AWS S3 IAM策略 [英] Amazon AWS S3 IAM Policy based on namespace or tag
问题描述
我有很多桶,与同一个命名空间开始在资产 - - 其中,一些> ,所以我想知道什么是给予权利的最佳选择为IAM组几乎不需要维护它。
I have a number of buckets that start with the same namespace as in assets-<something>, so I was wondering what would be the best option to give rights to IAM group with minimal need to maintain it.
是否可以使用任何类型的正则表达式的ARN?或者,也许我可以使用标签? EC2具有条件 ResourceTag ,但现在看来,它并没有为S3存在。
Is it possible to use any sort of regex in ARN? Or maybe I could use tags? EC2 has condition for ResourceTag, but it appears that it does not exist for S3.
或者我应该与每个桶中添加新ARN的政策呢?
Or should I with each bucket add new ARN to the policy?
我再次寻找最小的解决方案,以便安装新的政策,每个桶本身似乎是有点多。
Again I am searching for the minimal solution so attaching new policy to each bucket itself seems to be a bit much.
推荐答案
这是IAM策略可以授权访问基于通配符的Amazon S3桶。
An IAM policy can grant access to Amazon S3 buckets based on a wildcard.
例如,该策略授予的权限列出一个桶的内容和检索从一个桶一个对象,但前提是斗开始资产 - :
For example, this policy grants permissions to list the contents of a bucket and retrieve an object from a bucket, but only if the bucket starts with assets-:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SomeSID",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::assets-*",
"arn:aws:s3:::assets-*/*"
]
}
]
}
注意资源部分指的是桶(对于 ListBucket )桶和内容(为 GetObject的)。
Note that the Resource section refers to both the bucket (for ListBucket) and the content of the bucket (for GetObject).
通配符也斗名外出务工,例如: ARN:AWS:S3 ::: * - 记录
Wildcard also work elsewhere in the bucket name, eg: arn:aws:s3:::*-record
这是不可能授予访问基于标签的Amazon S3桶。
It is not possible to grant access to Amazon S3 buckets based on Tags.
ARN格式
顺便说一句,如果你想知道为什么有这么多的冒号在ARN(亚马逊资源名称),一个Amazon S3存储,这是因为一个ARN一般格式为:
As an aside, if you're wondering why there are so many colons in the ARN (Amazon Resource Name) for an Amazon S3 bucket, it's because the normal format for an ARN is:
arn:aws:<service name>:<region>:<account>:<resource>
在一个Amazon S3存储的情况下,该区域和帐户可以从桶名称(它是全球唯一的)辨别,所以这些参数是空白。
In the case of an Amazon S3 bucket, the region and account can be discerned from the bucket name (which is globally unique), so those parameters are left blank.
这篇关于根据命名空间或标签亚马逊AWS S3 IAM策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
