[英]IAM Policy to determine S3 Bucket access based on user tags
I'm trying to create a policy for all members of a group that will grant the user's access to particular S3 buckets based on a Tag value set on the user's account.我正在尝试为一个组的所有成员创建一个策略,该策略将根据在用户帐户上设置的标签值授予用户对特定 S3 存储桶的访问权限。
For example, my user has tag environment=staging
, and I want to use this value to access buckets in s3 with the name staging
-- for example: my-${environment}-bucket
.例如,我的用户有标签
environment=staging
,我想使用此值访问 s3 中名为staging
的存储桶——例如: my-${environment}-bucket
。
Here's what my policy looks like:这是我的政策的样子:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-${aws:PrincipalTag/environment}-bucket/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:DeleteBucket"
],
"Resource": "arn:aws:s3:::my-${aws:PrincipalTag/environment}-bucket"
}
]
}
Currently this isn't working.目前这不起作用。 I must be missing something.
我肯定错过了什么。
EDIT:编辑:
I'm using the IAM Policy Simulator tool ( https://policysim.aws.amazon.com/ ) to test this user & policy.我正在使用 IAM 策略模拟器工具 ( https://policysim.aws.amazon.com/ ) 来测试此用户和策略。 Screenshot below.
屏幕截图如下。
I've been able to achieve the desired behavior.我已经能够实现所需的行为。 Here's a minimal reproducible example:
这是一个最小的可重现示例:
environment
with the value test
.environment
,其值为test
。 I gave this user the following inline policy:{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::*${aws:PrincipalTag/environment}*"
}
]
}
mydevbucket
and another called mytestbucket
.mydevbucket
,另一个名为mytestbucket
。 I added one file to the mytestbucket
, " foo.txt ".mytestbucket
中添加了一个文件“ foo.txt ”。https://s3.console.aws.amazon.com/s3/buckets/mytestbucket?region=eu-west-2&tab=objects
for the test bucket, https://s3.console.aws.amazon.com/s3/buckets/mydevbucket?region=eu-west-2&tab=objects
for the dev bucket.https://s3.console.aws.amazon.com/s3/buckets/mytestbucket?region=eu-west-2&tab=objects
://s3.console.aws.amazon.com/s3/buckets/mytestbucket?region=eu-west-2&tab=用于测试存储桶的https://s3.console.aws.amazon.com/s3/buckets/mytestbucket?region=eu-west-2&tab=objects
, https://s3.console.aws.amazon.com/s3/buckets/mydevbucket?region=eu-west-2&tab=objects
//s3.console.aws.amazon.com/s3/buckets/mydevbucket?region=eu-west-2&tab=objects 用于开发存储桶。environment
tag has a the value test
):environment
标签有一个值test
): whereas in the dev bucket:而在开发桶中:
I discovered that my policy does indeed work if I test programmatic access from the CLI.我发现如果我从 CLI 测试编程访问,我的策略确实有效。 For example:
例如:
aws s3api list-objects --bucket my-staging-bucket --profile staging-user
Returns results aws s3api list-objects --bucket my-staging-bucket --profile staging-user
返回结果
aws s3api list-objects --bucket my-test-bucket --profile staging-user
Shows Access Denied aws s3api list-objects --bucket my-test-bucket --profile staging-user
显示拒绝访问
However, I was unable to get my policy to work through the IAM Policy Simulator Tool.但是,我无法通过 IAM Policy Simulator Tool 使我的策略生效。 If anyone can explain this as part of this question, I think it could help others with similar experience.
如果有人可以将此解释为这个问题的一部分,我认为它可以帮助其他有类似经验的人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.