基于用户标签确定 S3 Bucket 访问的 IAM 策略
[英]IAM Policy to determine S3 Bucket access based on user tags
问题描述
I'm trying to create a policy for all members of a group that will grant the user's access to particular S3 buckets based on a Tag value set on the user's account.
我正在尝试为一个组的所有成员创建一个策略,该策略将根据在用户帐户上设置的标签值授予用户对特定 S3 存储桶的访问权限。
For example, my user has tag environment=staging , and I want to use this value to access buckets in s3 with the name staging -- for example: my-${environment}-bucket .例如,我的用户有标签environment=staging ,我想使用此值访问 s3 中名为staging的存储桶——例如: my-${environment}-bucket 。
Here's what my policy looks like:这是我的政策的样子:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::my-${aws:PrincipalTag/environment}-bucket/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:ListBucket",
"s3:DeleteBucket"
],
"Resource": "arn:aws:s3:::my-${aws:PrincipalTag/environment}-bucket"
}
]
}
Currently this isn't working.目前这不起作用。 I must be missing something.我肯定错过了什么。
EDIT:编辑:
I'm using the IAM Policy Simulator tool ( https://policysim.aws.amazon.com/ ) to test this user & policy.我正在使用 IAM 策略模拟器工具 ( https://policysim.aws.amazon.com/ ) 来测试此用户和策略。 Screenshot below.屏幕截图如下。
1 个解决方案
解决方案1
2 2022-05-25 20:06:28
I've been able to achieve the desired behavior.我已经能够实现所需的行为。 Here's a minimal reproducible example:这是一个最小的可重现示例:
- I created a user " foobar " with no permissions.我创建了一个没有权限的用户“ foobar ”。 I gave this user a tag
environmentwith the valuetest.我给这个用户一个标签environment,其值为test。 I gave this user the following inline policy:我给了这个用户以下内联策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::*${aws:PrincipalTag/environment}*"
}
]
}
- I created two buckets, one called
mydevbucketand another calledmytestbucket.我创建了两个存储桶,一个名为mydevbucket,另一个名为mytestbucket。 I added one file to themytestbucket, " foo.txt ".我在mytestbucket中添加了一个文件“ foo.txt ”。 - I logged in the AWS account as the " foobar " user, and tried to navigate to the two buckets:
https://s3.console.aws.amazon.com/s3/buckets/mytestbucket?region=eu-west-2&tab=objectsfor the test bucket,https://s3.console.aws.amazon.com/s3/buckets/mydevbucket?region=eu-west-2&tab=objectsfor the dev bucket.我以“ foobar ”用户身份登录 AWS 账户,并尝试导航到两个存储桶: https://s3.console.aws.amazon.com/s3/buckets/mytestbucket?region=eu-west-2&tab=objects://s3.console.aws.amazon.com/s3/buckets/mytestbucket?region=eu-west-2&tab=用于测试存储桶的https://s3.console.aws.amazon.com/s3/buckets/mytestbucket?region=eu-west-2&tab=objects,https://s3.console.aws.amazon.com/s3/buckets/mydevbucket?region=eu-west-2&tab=objects//s3.console.aws.amazon.com/s3/buckets/mydevbucket?region=eu-west-2&tab=objects 用于开发存储桶。
As expected, I can only see the test bucket (because theenvironmenttag has a the valuetest):正如所料,我只能看到测试桶(因为environment标签有一个值test):
whereas in the dev bucket:而在开发桶中:
解决方案2
0 2022-05-25 20:43:58
I discovered that my policy does indeed work if I test programmatic access from the CLI.我发现如果我从 CLI 测试编程访问,我的策略确实有效。 For example:例如:
aws s3api list-objects --bucket my-staging-bucket --profile staging-user Returns results aws s3api list-objects --bucket my-staging-bucket --profile staging-user返回结果
aws s3api list-objects --bucket my-test-bucket --profile staging-user Shows Access Denied aws s3api list-objects --bucket my-test-bucket --profile staging-user显示拒绝访问
However, I was unable to get my policy to work through the IAM Policy Simulator Tool.但是,我无法通过 IAM Policy Simulator Tool 使我的策略生效。 If anyone can explain this as part of this question, I think it could help others with similar experience.如果有人可以将此解释为这个问题的一部分,我认为它可以帮助其他有类似经验的人。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.