限制访问名称中包含通配符的 CodeCommit 分支的 AWS IAM 策略
AWS IAM policy to limit access to CodeCommit branches with wildcards in their names
Amazon 现在支持能够通过 IAM 策略逐个分支地限制对 CodeCommit 存储库的访问。
我已使用以下策略形式成功拒绝访问特定分支,但无法找到拒绝访问以特定名称开头的所有分支的方法。
即:master 和 develop 是特定的分支,但我有 release-1、release-2 等,我也想拒绝。
我想要的是能够使用通配符。我试过 release-* 但没有用。
他们的格式是在 "codecommit:References" 中包含通配符吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergePullRequestByFastForward"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master",
"refs/heads/develop",
"refs/heads/release-[now what]"
]
},
"Null": {
"codecommit:References": false
}
}
}
]
}
这是一个 IAM 策略,应该支持此处列出的所有条件运算符:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html。但是由于 GitPush 操作本身在幕后涉及两个独立的操作,要实现预期的行为,应该使用 ..IfExists 条件运算符系列。也就是说,为了在这种情况下使用通配符,应该使用 StringLikeIfExists。您的政策可能是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringLikeIfExists": {
"codecommit:References": [
"refs/heads/release-*"
]
},
"Null": {
"codecommit:References": false
}
}
},
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergePullRequestByFastForward"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master",
"refs/heads/prod"
]
},
"Null": {
"codecommit:References": false
}
}
}
]
}
这样应该可以同时支持通配符匹配和精确匹配。
Amazon 现在支持能够通过 IAM 策略逐个分支地限制对 CodeCommit 存储库的访问。
我已使用以下策略形式成功拒绝访问特定分支,但无法找到拒绝访问以特定名称开头的所有分支的方法。
即:master 和 develop 是特定的分支,但我有 release-1、release-2 等,我也想拒绝。
我想要的是能够使用通配符。我试过 release-* 但没有用。
他们的格式是在 "codecommit:References" 中包含通配符吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergePullRequestByFastForward"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master",
"refs/heads/develop",
"refs/heads/release-[now what]"
]
},
"Null": {
"codecommit:References": false
}
}
}
]
}
这是一个 IAM 策略,应该支持此处列出的所有条件运算符:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html。但是由于 GitPush 操作本身在幕后涉及两个独立的操作,要实现预期的行为,应该使用 ..IfExists 条件运算符系列。也就是说,为了在这种情况下使用通配符,应该使用 StringLikeIfExists。您的政策可能是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringLikeIfExists": {
"codecommit:References": [
"refs/heads/release-*"
]
},
"Null": {
"codecommit:References": false
}
}
},
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergePullRequestByFastForward"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master",
"refs/heads/prod"
]
},
"Null": {
"codecommit:References": false
}
}
}
]
}
这样应该可以同时支持通配符匹配和精确匹配。