堆栈内存溢出
  简体   繁体   English

仅基于存储桶策略将 AWS IAM 实例角色策略设置为 GetObject

[英]Setup AWS IAM instace role policy to GetObject based only on bucket policy

 原文  2022-03-20 09:22:25       amazon-web-services/ amazon-s3/ amazon-iam/ aws-policies

问题描述

I'm not able to change IAM role policy in our corporate environment.我无法更改公司环境中的 IAM 角色策略。 So I want to be able to change role's permissions to S3 based on bucket policy.所以我希望能够根据存储桶策略将角色的权限更改为 S3。 I want to setup AWS IAM instance role to have Allow on "s3:GetObject" based on this bucket policy.我想根据此存储桶策略将 AWS IAM 实例角色设置为允许“s3:GetObject”。

I have this in my bucket policy:我的存储桶策略中有这个:

{
        "Sid": "tag-based",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::XY:role/testing"
        },
        "Action": "s3:*",
        "Resource": [
            "arn:aws:s3:::bucket1/path1/*",
            "arn:aws:s3:::bucket1/path1"
        ]
    },

And I want something like this in my IAM role inline policy -> To have allow only for resources which have TagKey equal to 'SG':我在我的 IAM 角色内联策略中想要这样的东西 -> 只允许 TagKey 等于'SG'的资源:

{
        "Effect": "Allow",
        "Action": [
            "s3:PutObject",
            "s3:GetObject",
            "s3:DeleteObject",
            "s3:PutObjectAcl"
        ],
        "Resource": "<HOW TO SETUP IT ONLY FOR RESORUCES WHICH HAVE TAG KEY 'SG?'>",
        "Condition": {
            "ForAllValues:StringEquals": {
                "aws:TagKeys": [
                    "SG"
                ]
            }
        }
    }


Is this right way to achieve it?

1 个解决方案

解决方案1
 1  2022-03-20 11:42:56

S3 support for Authorization based on tags is partial that means not all the operations supports tag based conditions. S3 对基于标签的授权的支持是部分的,这意味着并非所有操作都支持基于标签的条件。 Which is further mentioned here as well . 这里也进一步提到了这一点

As far as the calls you mentioned in your policy how they work with tags are described here就您在政策中提到的电话而言, 此处描述了它们如何使用标签

GetObject and PutObect revolves around x-amz-tag-count header . GetObjectPutObect围绕x-amz-tag-count header Which further requires another permission named GetObjectTagging这进一步需要另一个名为GetObjectTagging 的权限

"<HOW TO SETUP IT ONLY FOR RESORUCES WHICH HAVE TAG KEY 'SG?'>" “<如何仅为具有标签键“SG”的资源设置它?>”

There is no such clause for resources specifically, you can find the same in the above linked page under the section named Resource types defined by Amazon S3没有专门针对资源的此类条款,您可以在上面的链接页面中名为Resource types defined by Amazon S3的部分下找到相同的条款

In summary what you are trying to achieve simply in terms of tag based authorization might not fully work as you expect.总而言之,您尝试仅通过基于tag的授权来实现的目标可能无法完全按照您的预期工作。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Bucket Policy 允许写入访问,尽管策略中只有 getObject - Bucket Policy allows for write access despite only having getObject in policy 将策略附加到 IAM 角色 - Attach policy to a IAM Role Terraform AWS IAM 角色“inline_policy.0.policy”包含使用 ${file xyz} 和 jsonencode 的无效 JSON 策略 - Terraform AWS IAM Role “inline_policy.0.policy” contains an invalid JSON policy using ${file xyz} and jsonencode terraform managed_policy_arns 问题与 aws_iam_role - terraform managed_policy_arns issue with aws_iam_role aws_iam_role 和aws_iam_role_policy 是什么意思? - What is the meaning of aws_iam_role and aws_iam_role_policy? 基于用户标签确定 S3 Bucket 访问的 IAM 策略 - IAM Policy to determine S3 Bucket access based on user tags AWS 管理员角色政策 - AWS Admin Role Policy 添加基于资源的策略与 IAM 策略 - Adding a resource based policy vs IAM policy AWS 自定义 IAM 策略问题 - AWS custom IAM policy issue 向自动创建的 IAM 角色添加策略 - Add policy to the auto created IAM role
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM