动态权限策略以访问基于名称的SQS队列
我想创建一个具有属性替代的动态权限策略,允许访问各个客户的队列(表示为SQS队列名称的一部分):
例如: sqs队列名称:个人Queu- $ {insert-attribute by-customer-name}
我创建了一个IAM角色,以授予具有名称的SQS访问策略中的访问:enperic-sqs-acqs-access-access-access-role-dynamic-atminic-atminic-attributes
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-west-2:accountID:general-queue-abc",
"arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sqs:ListQueues",
"Resource": "*"
}
]
}
my sqs访问策略:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountID:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
},
{
"Sid": "__sender_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountID:role/generic-sqs-access-role-dynamic-attributes" // the role with permission policy as stated above
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountID:role/generic-sqs-access-role-dynamic-attributes"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
"Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
}
]
}
但是,当我担任角色并用cloud9进行测试时,动态策略不起作用。那些能够假设角色generic-sqs-access-access-lole-dynamic-attributes能够访问所有队列(带有客户名称附加到他们的客户名称)能够
访问 所有队列) IAM角色策略中的属性将能够基于队列名称限制,该名称将替换客户名称
,即Customer-A仅访问ARN:AWS:SQS:SQS:EU-WEST-2:ACCEATID:accountID:个人Quastomer-a
Customer-B只能访问ARN:AWS:SQS:EU-West-2:AccountID:个体Queue-Customer-B
,但他们无法访问我在情况下尝试的彼此队列
,但运气不多。
这里出了什么问题?这是我的IAM政策问题还是SQS访问政策问题?
谢谢
I want to create a dynamic permission policy with attributes substitution that allows access to respective customer's queue (indicated as part of the SQS queue name)
For example:
SQS queue name: individual-queue-${insert-attribute-by-customer-name}
I created an IAM role to grant access in sqs access policy with name: generic-sqs-access-role-dynamic-attributes
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sqs:DeleteMessage",
"sqs:ReceiveMessage",
"sqs:SendMessage",
"sqs:GetQueueAttributes"
],
"Resource": [
"arn:aws:sqs:us-west-2:accountID:general-queue-abc",
"arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sqs:ListQueues",
"Resource": "*"
}
]
}
my sqs access policy:
{
"Version": "2008-10-17",
"Id": "__default_policy_ID",
"Statement": [
{
"Sid": "__owner_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountID:root"
},
"Action": "SQS:*",
"Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
},
{
"Sid": "__sender_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountID:role/generic-sqs-access-role-dynamic-attributes" // the role with permission policy as stated above
},
"Action": "SQS:SendMessage",
"Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
},
{
"Sid": "__receiver_statement",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::accountID:role/generic-sqs-access-role-dynamic-attributes"
},
"Action": [
"SQS:ChangeMessageVisibility",
"SQS:DeleteMessage",
"SQS:ReceiveMessage"
],
"Resource": "arn:aws:sqs:eu-west-2:accountID:individual-queue-${insert-attribute-by-customer-name}"
}
]
}
But when I assumed the role and tested with cloud9, the dynamic policy doesn't work. Those that are able to assume the role generic-sqs-access-role-dynamic-attributes are able to access all the queues (both general and individual queues with customer names appended to them)
I expected the dynamic attributes in the IAM role policy would be able to restrict based on the queue name which will substitute the customer name
i.e. customer-a can access only arn:aws:sqs:eu-west-2:accountID:individual-queue-customer-a
customer-b can access only arn:aws:sqs:eu-west-2:accountID:individual-queue-customer-b
but they can't access each other's queue
I tried with conditions but not much luck.
What has gone wrong here? Is that my IAM policy issue or SQS access policy issue?
thanks
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
我以这种方式完成了工作
2不同的IAM政策,从上述IAM策略分开 - 1只有一般队列的资源,1个
在SQS访问策略中的客户特定队列,我在属性中添加了单个队列中的属性替换
I got it work this way
2 different IAM policies splitting from the above IAM policy - 1 with resource of general queue only, 1 customer specific queue
In SQS access policy, I added in attribute substitution in the individual queue