如何在应用AWS策略之前验证ARN?
[英]How to validate an ARN before applying an AWS policy?
问题描述
I have a list of ARNs from numerous accounts in a configuration file that I then build into an S3 bucket policy. 
我有一个配置文件中来自众多帐户的ARN列表,然后我将其构建为S3存储桶策略。 But if one of these ARNs is invalid, say arn:aws:iam::12345679012:user/foo-bar , then I will get the following exception when trying to apply a policy that includes that ARN: 但是,如果其中一个ARN无效,请说arn:aws:iam::12345679012:user/foo-bar ,那么在尝试应用包含该ARN的策略时,我将得到以下异常:
lib/aws/core/client.rb:375:in `return_or_raise': Invalid principal in policy (AWS::S3::Errors::MalformedPolicy)
It seems like this could cause problems should any of the ARNs in my file get deleted. 如果我的文件中的任何ARN被删除,这似乎会导致问题。 Then, I can't append to the existing policy. 然后,我无法附加现有政策。 I'd have to find out which ARN is the "poison pill" and delete it. 我必须找出哪个ARN是“毒丸”并将其删除。 But the exception message doesn't give that information to me. 但是异常消息并没有向我提供这些信息。
Questions: 问题:
- Is there a better way to go about managing a host of cross-account ARNs that I don't control? 有没有更好的方法来管理我无法控制的大量跨账户ARN?
- Is there a way to validate that an ARN exists before applying it to an S3 bucket policy? 有没有办法在将ARN应用于S3存储桶策略之前验证ARN是否存在?
1 个解决方案
解决方案1
1 已采纳 2016-10-06 19:42:07
Your question doesn't specify ruby, so I will show you how I handled this (poorly, I suspect) with the Python Boto3 library. 你的问题没有指定ruby,所以我将告诉你我是如何使用Python Boto3库处理这个(很糟糕,我怀疑)。
While trying to update an assumerole policy with a number of ARNs, one or more are invalid. 在尝试使用多个ARN更新假设策略时,一个或多个ARN无效。 Here is the boto call which produces an error: 这是产生错误的boto调用:
try:
iamClient.update_assume_role_policy(RoleName=curated_role_name, PolicyDocument=json.dumps(assume_role_policy_document))
except botocore.exceptions.ClientError as e:
print (e.response['Error']['Message'])
The results from the above code snippet is: 上面代码段的结果是:
Invalid principal in policy: "AWS":"arn:aws:iam::42xxxxx:user/idontexist"
I then do a simple RE to extract the bad ARN and then attempt to re-apply my update. 然后,我做一个简单的RE来提取坏的ARN,然后尝试重新应用我的更新。 If there are still bad ARNs in the list, then I get the next one in the list and remove that. 如果列表中仍然存在错误的ARN,那么我将获取列表中的下一个ARN并将其删除。 This recurses until the policy is accepted. 直到策略被接受为止。
I was searching for exactly the same thing you were - an "ARN Validator". 我正在寻找与你完全相同的东西 - 一个“ARN验证器”。 I didn't find it, so I had to handle it myself. 我没有找到它,所以我必须自己处理它。 I thought about checking all the ARNs involved in a separate function, but since it's rare I run into the issue, I didn't want to incur the overhead. 我考虑检查所有涉及单独功能的ARN,但由于我很少遇到这个问题,我不想招致开销。
I hope you may find some of this helpful. 我希望你能找到一些有用的东西。
Dave O 戴夫奥
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.