如何将S3存储桶名称后缀与usename前缀进行匹配
[英]How to match S3 bucket name suffix against usename prefix
问题描述
I want to setup a policy inside AWS IAM service to allow users following specific pattern to connect to S3 buckets which names are following the specific pattern. 
我想在AWS IAM服务中设置一个策略,以允许遵循特定模式的用户连接到名称遵循特定模式的S3存储桶。
My users looks like archiver_clientname , my buckets look like clientname_archive . 我的用户看起来像archiver_clientname ,我的桶看起来像clientname_archive 。 So far I read through this and this 到目前为止,我通读了这个和这个
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*"
"Condition": {"StringLike": {"${s3:prefix}": ["${aws:username:suffix}/*"]}}
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::EXAMPLE-BUCKET-NAME/*"
}
]
}
${s3:prefix} and ${aws:username:suffix} are some variables which I made up, well ${s3:prefix} actually exists but I'm not sure if that does what I expect it to be doing. ${s3:prefix}和${aws:username:suffix}是我编造的一些变量,而${s3:prefix}实际上存在,但我不确定这是否符合我的预期。 It would be great to be able to match my bucket names against my user names without renaming them because otherwise names will not be speaking and be just client-names, though I have other buckets with different purposes. 能够将我的存储桶名称与我的用户名匹配而不重命名它会很棒,因为否则名称不会说话而只是客户端名称,尽管我有其他不同用途的存储桶。 It will be Ok to swap user prefix and suffix or use different separator though. 交换用户前缀和后缀或使用不同的分隔符是可以的。 And looks like the policy tool has enough flexibility to solve my task I just can't find the right documentation somehow. 并且看起来政策工具有足够的灵活性来解决我的任务我无法以某种方式找到正确的文档。
I also do not want to setup a new policy for each user. 我也不想为每个用户设置新策略。
I will be happy with the answer that my approach is wrong with a good explanation why it is wrong and what I can do instead. 我会很满意答案,我的方法是错误的,并且很好地解释了为什么它是错误的以及我可以做什么。
1 个解决方案
解决方案1
3 已采纳 2016-05-24 14:21:49
First off, when a user gets the list of buckets, it's not possible to limit the list that is returned to the user. 首先,当用户获取存储桶列表时,不可能限制返回给用户的列表。 So, don't put a condition on the "s3:ListAllMyBuckets" action. 所以,不要在“s3:ListAllMyBuckets”动作上加上条件。 Either they see all the buckets, or they see none. 要么他们看到所有的桶,要么他们看不到任何桶。
Next, you cannot "split apart" the username. 接下来,您无法“拆分”用户名。 The IAM policy language isn't that sophisticated. IAM策略语言并不复杂。 If your username is "archiver_username", then you should be able to match it to a bucket "archiver_username_archive" by using the `${aws:username} variable in the resource: 如果您的用户名是“archiver_username”,那么您应该能够通过使用资源中的`$ {aws:username}变量将其与存储桶“archiver_username_archive”匹配:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Resource": "arn:aws:s3:::${aws:username}_archive"
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::${aws:username}_archive/*"
}
]
}
But the language does not permit you to match a bucket called "username_archive". 但是该语言不允许您匹配名为“username_archive”的存储桶。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.