简体   繁体   中英

AWS IAM Role Policy Resource Restriction

I'm relatively new to AWS and am trying to figure out how the role policies work. I've read the AWS documentation, which is very comprehensive, but the policy I'm applying still isn't doing what I expect... let me explain

I'm trying to grant access to a role so that, when it is assumed, it can do stuff with lambda

I've create a role called "deployer".
I've then attached the below policy to that role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": "lambda:*"
            "Resource": "arn:aws:iam::<account_id>:role/deployer"
        }
    ]
}

My expectation here is that the Policy says... The specified resource (the deployer role) is "Allowed" to do any action with the Lambda service

However, when I switch to that role in the front end, I get the following error in the Lambda dashboard:

You are not authorized to perform: lambda:GetAccountSettings.

The only solution I've found is to wildcard the Resource attribute in the Policy... however that sort of negates the purpose of trying to restrict access to only that role

Example of the Policy that does what I want

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": "lambda:*"
            "Resource": "*"
        }
    ]
}

Could someone explain to me what is actually happening here? I've clearly not understood what the Resource attribute is used for... To me that second Policy says any resource can do anything with Lambda...

Thanks

You're attempting to define the role to apply the policy to in the resource attribute - that's not what the resource attribute is for. The resource attribute relates to the Lambda functions you want the user to be able to call.

To assign this policy to a role, simply create the policy as above (defining your Lambda resources appropriately, which could be a wildcard if you really want to apply this to all your Lambda functions) then assign the policy to a role in the IAM console.

See here for more information on defining resources.

Change

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": "lambda:*"
            "Resource": "arn:aws:iam::<account_id>:role/deployer"
        }
    ]
}

to

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "1",
            "Effect": "Allow",
            "Action": "lambda:*"
            "Resource": "arn:aws:lambda:<region>:<account_number>:function:my-awesome-lambda-function"
        }
    ]
}

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM