[英]Restricting access to an AWS resource using a specific pattern of AWS roles
I want all roles of my AWS account having a specific pattern to be able to access a Secrets Manager secret.我希望我的 AWS 账户中具有特定模式的所有角色都能够访问 Secrets Manager 密钥。 I know I can use Condition
block and wildcard matching for that.我知道我可以为此使用Condition
块和通配符匹配。
However, the Principal
field is required in a resource policy.但是, Principal
字段在资源策略中是必需的。
Will the following policy restrict access to just the roles matching the pattern?以下策略是否会将访问限制为仅匹配模式的角色?
{
"Statement": [
{
"Action": [
"secretsmanager:UpdateSecret",
"secretsmanager:GetSecretValue"
],
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::12345678910:role/my_role_*"
}
},
"Principal": { "AWS": "arn:aws:iam::12345678910:root" },
"Effect": "Allow",
"Resource": "arn:aws:secretsmanager:us-east-1:12345678910:secret:some-secret-1234",
"Sid": "rp1"
}
],
"Version": "2012-10-17"
}
Use the wildcard "All Principal": {"AWS": "*"}
.使用通配符 "All Principal": {"AWS": "*"}
。 The combination of a same-account Account Principal + wildcard condition works in role *trust* policies 1 but apparently not in *resource* policies 2 .同一账户账户主体 + 通配符条件的组合在角色 *trust* policies 1中起作用,但显然在 *resource* policies 2中不起作用。
You can specify the role principal as the principal in a resource-based policy or create a broad-permission policy [with a wildcard Principal] that uses the
aws:PrincipalArn
condition key.您可以将角色委托人指定为基于资源的策略中的委托人,或者创建使用aws:PrincipalArn
条件键的广泛权限策略 [使用通配符委托人]。
Because the condition contains the account number, the All Principal is no more permissive than the Account Principal would be.因为条件包含帐号,所以 All Principal 并不比 Account Principal 更宽松。 Also, because the policy is always tied to a specific secret resource, the wildcard "*"
Resoure is no more permissive than the secret name.此外,由于该策略始终与特定的秘密资源相关联,因此通配符"*"
资源并不比秘密名称更宽松。 Finally, while an ArnLike
condition is not always equivalent to StringLike
, it is identical in this case.最后,虽然ArnLike
条件并不总是等同于StringLike
,但在这种情况下是相同的。
{
"Version" : "2012-10-17",
"Statement" : [ {
"Effect" : "Allow",
"Principal" : { "AWS" : "*" },
"Action" : [ "secretsmanager:DescribeSecret", "secretsmanager:GetSecretValue" ],
"Resource" : "arn:aws:secretsmanager:us-east-1:12345678910:secret:some-secret-1234",
"Condition" : {
"ArnLike" : {
"aws:PrincipalArn" : "arn:aws:iam::12345678910:role/my_role_*"
}
}
} ]
}
See the wildcard permissions section of the AWS blog post How to use trust policies with IAM roles for a trust policy example.有关信任策略示例,请参阅 AWS 博客文章如何将信任策略与 IAM 角色结合使用的通配符权限部分。
Error using a Lambda role + secrets manager resource policy with a same-account Account Principal: ...no identity-based policy allows the secretsmanager:GetSecretValue action
.将 Lambda 角色 + 机密管理器资源策略与同一账户主体一起使用时出错: ...no identity-based policy allows the secretsmanager:GetSecretValue action
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.