仅根据存储桶策略将 AWS IAM 实例角色策略设置为 GetObject
我无法更改我们企业环境中的 IAM 角色策略。所以我希望能够根据存储桶策略更改角色对S3的权限。我想将 AWS IAM 实例角色设置为允许基于此存储桶策略的“s3:GetObject”。
我的存储桶策略中有这样的内容:
{
"Sid": "tag-based",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XY:role/testing"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1/path1/*",
"arn:aws:s3:::bucket1/path1"
]
},
我希望在我的 IAM 角色内联策略中加入类似的内容 ->仅允许 TagKey 等于“SG”的资源:
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "<HOW TO SETUP IT ONLY FOR RESORUCES WHICH HAVE TAG KEY 'SG?'>",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"SG"
]
}
}
}
Is this right way to achieve it?
I'm not able to change IAM role policy in our corporate environment. So I want to be able to change role's permissions to S3 based on bucket policy. I want to setup AWS IAM instance role to have Allow on "s3:GetObject" based on this bucket policy.
I have this in my bucket policy:
{
"Sid": "tag-based",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XY:role/testing"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::bucket1/path1/*",
"arn:aws:s3:::bucket1/path1"
]
},
And I want something like this in my IAM role inline policy -> To have allow only for resources which have TagKey equal to 'SG':
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:PutObjectAcl"
],
"Resource": "<HOW TO SETUP IT ONLY FOR RESORUCES WHICH HAVE TAG KEY 'SG?'>",
"Condition": {
"ForAllValues:StringEquals": {
"aws:TagKeys": [
"SG"
]
}
}
}
Is this right way to achieve it?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
S3 支持 授权标签是部分的,这意味着并非所有操作都支持基于标签的条件。进一步提到这里也是如此。
至于您在策略中提到的调用,描述了它们如何使用标签 此处
GetObject和PutObect围绕x-amz-tag-count 标头展开。这还需要另一个名为 GetObjectTagging 的权限没有专门针对资源的此类子句,您可以在上面的链接页面中名为
Amazon S3 定义的资源类型的部分中找到相同的子句。总而言之,您想要简单地实现的目标是tag 的授权可能无法完全按照您的预期工作。
S3 support for Authorization based on tags is partial that means not all the operations supports tag based conditions. Which is further mentioned here as well.
As far as the calls you mentioned in your policy how they work with tags are described here
GetObjectandPutObectrevolves aroundx-amz-tag-count header. Which further requires another permission named GetObjectTaggingThere is no such clause for resources specifically, you can find the same in the above linked page under the section named
Resource types defined by Amazon S3In summary what you are trying to achieve simply in terms of
tagbased authorization might not fully work as you expect.