为什么有些 AWS ARN 需要指定账户分段,而有些则不需要?
[英]Why do some AWS ARNs require account segments to be specified and others do not?
问题描述
I'm giving a lambda create tag access to all snapshots, volumes, and instances in an account.
我正在授予 lambda 创建标签访问帐户中所有快照、卷和实例的权限。 It only works when I specify the account ID for volumes and instances but not for snapshots.它仅在我为卷和实例指定帐户 ID 而不是快照时有效。
Example IAM policy snippet IAM 政策片段示例
“Resource”: [
“arn:aws:ec2:*:<account-id>:volume/*“,
“arn:aws:ec2:*::snapshot/*“,
“arn:aws:ec2:*:<account-id>:instance/*”
]
Why do you need to specify the account number for some resources, but when you do it fails for others?为什么有的资源需要指定账号,有的资源却指定不了?
What is the difference between :*: and :: ? :*:和::有什么区别?
I tried我试过了
“Resource”: [
“arn:aws:ec2:*::volume/*“,
“arn:aws:ec2:*::snapshot/*“,
“arn:aws:ec2:*::instance/*”
]
and和
“Resource”: [
“arn:aws:ec2:*:<account-id>:volume/*“,
“arn:aws:ec2:*:<account-id>:snapshot/*“,
“arn:aws:ec2:*:<account-id>:instance/*”
]
but the first failed for volumes and the second failed for snapshots.但第一个失败了卷,第二个失败了快照。 I'd expect the format to be consistant.我希望格式是一致的。
2 个解决方案
解决方案1
2 2023-01-20 07:23:55
Why do you need to specify the account number for some resources, but when you do it fails for others?
For two, sometimes overlapping, reasons:出于两个有时重叠的原因:
First, because specificity is required in some cases and not in others.首先,因为在某些情况下需要特异性,而在其他情况下则不需要。 S3 for example requires globally unique bucket names, so account is superfluous.例如 S3 需要全局唯一的存储桶名称,因此帐户是多余的。
Otherwise, for legacy reasons.否则,出于遗留原因。 Again, S3 is a great example as one of the first... maybe the first AWS service, there was no concept of ARN yet.同样,S3 是第一个很好的例子……也许是第一个 AWS 服务,当时还没有 ARN 的概念。
What is the difference between
:*:and::?:*:和::有什么区别?
Nothing, both are functionally the same, but only one will be generally accepted for a given resource type, because the ARN requirements vary from resource type to resource type.没什么,两者在功能上是相同的,但对于给定的资源类型,通常只接受一个,因为 ARN 要求因资源类型而异。 According to the QuickSight's ARN Documentation , "You can use wildcard characters (* and?) within any ARN segment."根据QuickSight 的 ARN 文档,“您可以在任何 ARN 段中使用通配符(* 和?)。” However, if the segment is required for that resource type, you can use the wildcard to represent its value, but if the segment is not required I don't believe you can in all cases.但是,如果该资源类型需要该段,您可以使用通配符来表示其值,但如果不需要该段,我认为您不能在所有情况下都可以。
To look up the ARN specification for a resource type you can follow the Service Authorization Reference , select Actions, resources, and condition keys for AWS services , then find your specific resource type.要查找资源类型的 ARN 规范,您可以按照服务授权参考select Actions, resources, and condition keys for AWS services ,然后找到您的特定资源类型。 In this case, one example is EC2 Snapshot.在这种情况下,一个示例是 EC2 快照。
So you can go to Amazon EC2 and find snapshot under Resource Types which yields this ARN format string.因此,您可以 go 到Amazon EC2并在资源类型下找到snapshot ,它会生成此 ARN 格式字符串。 arn:${Partition}:ec2:${Region}::snapshot/${SnapshotId}
In this case, I would omit the account segment entirely for snapshot ARN's.在这种情况下,我会完全省略快照 ARN 的帐户段。
解决方案2
0 2023-01-20 07:04:17
I guess it's for security purpose.我想这是出于安全目的。 Keeping the accound_id blank or wildcard * means it's for any account.将accound_id保留为空白或通配符*表示它适用于任何帐户。 Specifying account_id means it's restricted to that specific account only.指定 account_id 意味着它仅限于该特定帐户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.