如何解决sso用户的s3存储桶策略
我想允许特定角色“ test-role”在特定存储桶“ test-bucket”上执行所有s3操作。拒绝所有其他人。我写的s3政策:
{
"Version": "2012-10-17","Id": "Policy1601973417173","Statement": [
{
"Sid": "Allow role test-role","Effect": "Allow","Principal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
},"Action": "s3:*","Resource": "arn:aws:s3:::test-bucket/*"
},{
"Sid": "Deny rest","Effect": "Deny","NotPrincipal": {
"AWS": "arn:aws:iam::xxxxxxxx:role/test-role"
},"Resource": "arn:aws:s3:::test-bucket/*"
}
]
}
即使应用了上述策略,映射到“ test-role”角色的sso用户也会在存储桶中获得拒绝访问的权限。
注意:AWS控制台将登录用户显示为“联合登录:test-role/sam@abc.com”。
我也尝试过“假定角色”选项仍然失败。任何帮助表示赞赏。
解决方法
尝试一下:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Deny","Principal": "*","Action": "s3:*","Resource": [
"arn:aws:s3:::test-bucket","arn:aws:s3:::test-bucket/*"
],"Condition": {
"StringNotLike": {
"aws:userId": [
"AIDA<udserid-1-suppressed>:*","AIDA<udserid-1-suppressed>","AIDA<udserid-2-suppressed>:*","AIDA<udserid-2-suppressed>","AIDA<udserid-n-suppressed>:*","AIDA<udserid-n-suppressed>","111111111111"
]
}
}
}
]
}
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。