访问单独 ARN 资源问题的角色策略
Roles policy to access separate ARN resource issue
我想添加仅允许 IAM 用户访问少数表的策略。
我的保单:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:QueryObjects",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:ListTables",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:GetFunctionConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", //commented real name
"arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" //commented real name
]
}
]
}
结果我收到了 "Not Autorized" 消息
但是当我将 Resource 更改为“*”时 - 一切正常。
那么,为什么我不能只对单独的表启用完全读取访问权限?
解决方案,感谢 Deepesh S.(来自亚马逊),如下所列
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ResourceBasedActions",
"Action": [
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:QueryObjects",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"lambda:GetFunctionConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>",
"arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>"
]
},
{
"Sid": "NonResourceBasedActions",
"Action": [
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"datapipeline:ListPipelines",
"dynamodb:ListTables",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}
我想添加仅允许 IAM 用户访问少数表的策略。
我的保单:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:QueryObjects",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:ListTables",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:GetFunctionConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", //commented real name
"arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" //commented real name
]
}
]
}
结果我收到了 "Not Autorized" 消息
但是当我将 Resource 更改为“*”时 - 一切正常。
那么,为什么我不能只对单独的表启用完全读取访问权限?
解决方案,感谢 Deepesh S.(来自亚马逊),如下所列
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ResourceBasedActions",
"Action": [
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:QueryObjects",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"lambda:GetFunctionConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>",
"arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>"
]
},
{
"Sid": "NonResourceBasedActions",
"Action": [
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"datapipeline:ListPipelines",
"dynamodb:ListTables",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}