![](/img/trans.png)
[英]not authorized to perform: SNS:ListTopics on resource: arn:aws:sns
[英]Forbidden on sns:ListTopics with wildcard resources
只要我们根据某个前缀对资源进行操作,我的团队就有一个对 SNS 具有完全权限的帐户
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
// ...
"sns:ListTopics",
// ...
],
"Resource": "arn:aws:sns:eu-west-1:{redacted}:team-prefix-*"
},
我们可以很好地完成大多数操作,至少是我们最需要的那些,但是如果我们尝试列出主题,我们会得到一个禁止的错误
SNS: ListTopics, AuthorizationError: User xxx is not authorized to perform: SNS:ListTopics on resource: arn:aws:sns:eu-west-1:{redacted}:*
我们正在使用新的 go SDK v2,我们找不到只查询我们的主题的方法,有没有办法列出它们,还是我们需要所有帐户主题的列表权限?
sns:ListTopics 没有资源过滤器( https://docs.aws.amazon.com/sns/latest/api/API_ListTopics.html )它是全有或全无操作。
亚马逊文档除外: if you specify a resource type in a statement with an action that does not support that resource type, then the statement doesn't allow access.
关联
通常,如果您希望能够列出,则 IAM 文档应该是这样的。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sns:CreateTopic"
],
"Resource": "arn:aws:sns:eu-west-1:{redacted}:team-prefix-*"
},
{
"Effect": "Allow",
"Action": [
"sns:ListTopics",
],
"Resource": "*"
},
...
如果粒度级别的分离确实是一个大问题,则应使用单独的 AWS 账户。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.