基于名称访问 sqs 队列的动态权限策略

Question

我想创建一个带有属性替换的动态权限策略，允许访问各个客户的队列（表示为 SQS 队列名称的一部分）

例如：SQS 队列名称：individual-queue-${insert-attribute-by-customer-name}

我创建了一个 IAM 角色以在 sqs 访问策略中授予访问权限，其名称为：generic-sqs-access-role-dynamic-attributes

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "VisualEditor0",
        "Effect": "Allow",
        "Action": [
            "sqs:DeleteMessage",
            "sqs:ReceiveMessage",
            "sqs:SendMessage",
            "sqs:GetQueueAttributes"
        ],
        "Resource": [
            "arn:aws:sqs:us-west-2:accountID:general-queue-abc",
            "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
        ]
    },
    {
        "Sid": "VisualEditor1",
        "Effect": "Allow",
        "Action": "sqs:ListQueues",
        "Resource": "*"
    }
]
}

我的 sqs 访问策略：

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::accountID:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
    },
    {
      "Sid": "__sender_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::accountID:role/generic-sqs-access-role-dynamic-attributes" // the role with permission policy as stated above
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
    },
    {
      "Sid": "__receiver_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::accountID:role/generic-sqs-access-role-dynamic-attributes"
      },
      "Action": [
        "SQS:ChangeMessageVisibility",
        "SQS:DeleteMessage",
        "SQS:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
    }
  ]
}

但是当我担任这个角色并使用 cloud9 进行测试时，动态策略不起作用。 那些能够承担generic-sqs-access-role-dynamic-attributes人能够访问所有队列（包括附加客户姓名的一般队列和个人队列）

我希望 IAM 角色策略中的动态属性能够根据将替换客户名称的队列名称进行限制

即客户-a 只能访问 arn:aws:sqs:eu-west-2:accountID:individual-queue-customer-a

customer-b 只能访问 arn:aws:sqs:eu-west-2:accountID:individual-queue-customer-b

但他们无法访问彼此的队列

我尝试了条件，但运气不佳。

这里出了什么问题？ 这是我的 IAM 政策问题还是 SQS 访问政策问题？

谢谢

Answer 1

我得到了它的工作方式

2 个不同的 IAM 策略从上述 IAM 策略中分离出来 - 1 个仅具有一般队列资源，1 个客户特定队列

在 SQS 访问策略中，我在单个队列中添加了属性替换

{
  "Version": "2008-10-17",
  "Id": "__default_policy_ID",
  "Statement": [
    {
      "Sid": "__owner_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::accountID:root"
      },
      "Action": "SQS:*",
      "Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
    },
    {
      "Sid": "__sender_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::accountID:role/general-access-role"
      },
      "Action": "SQS:SendMessage",
      "Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
    },
    {
      "Sid": "__receiver_statement",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::accountID:role/general-access-role"
      },
      "Action": [
        "SQS:ChangeMessageVisibility",
        "SQS:DeleteMessage",
        "SQS:ReceiveMessage"
      ],
      "Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
    }
  ]
}

基于名称访问 sqs 队列的动态权限策略

问题描述

1 个解决方案

解决方案1
0 2022-06-06 00:37:12

基于名称访问 sqs 队列的动态权限策略

问题描述

1 个解决方案

解决方案1 0 2022-06-06 00:37:12

解决方案1
0 2022-06-06 00:37:12