AWS SSM 策略不像文档那样工作
AWS SSM Policy doesn't work like the documentation
我尝试按照此处的示例提供政策:https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html
但是,我不断收到警告,但它不起作用。
这些是我到目前为止所尝试的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
或
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"arn:aws:ec2:*:*:instance": [
"i-myInstanceId1",
"i-myInstanceId2"
]
}
}
}
]
}
甚至我尝试使用更多基于资源的条件。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
],
"arn:aws:ec2:*:*:resourceTag/environment": [
"prod",
"Prod"
],
"ec2:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
一般来说,我想要做的就是允许在非生产服务器的服务器上访问以在 SSM 中启动会话。
我的 EC2 产品服务器都有一个标签 environment:prod
我在每种情况下都收到一条错误消息,但该消息不起作用:
There are no actions in your policy that support this condition key.
示例:
ec2:resourceTag /environment (StringNotLike prod and Prod)
There are no actions in your policy that support this condition key.
感谢任何帮助。
根据评论和一些调查,答案如下:
从 docs 可以很容易地看出哪些 动作 支持什么条件。
不幸的是,为限制访问提供的示例是错误的,即包含示例代码的文档中存在错误。
PR 可能是个好主意,这样其他人就不会挂在同样的东西上。
我尝试按照此处的示例提供政策:https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html
但是,我不断收到警告,但它不起作用。
这些是我到目前为止所尝试的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
或
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"arn:aws:ec2:*:*:instance": [
"i-myInstanceId1",
"i-myInstanceId2"
]
}
}
}
]
}
甚至我尝试使用更多基于资源的条件。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
],
"arn:aws:ec2:*:*:resourceTag/environment": [
"prod",
"Prod"
],
"ec2:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
一般来说,我想要做的就是允许在非生产服务器的服务器上访问以在 SSM 中启动会话。
我的 EC2 产品服务器都有一个标签 environment:prod
我在每种情况下都收到一条错误消息,但该消息不起作用:
There are no actions in your policy that support this condition key.
示例:
ec2:resourceTag /environment (StringNotLike prod and Prod)
There are no actions in your policy that support this condition key.
感谢任何帮助。
根据评论和一些调查,答案如下:
从 docs 可以很容易地看出哪些 动作 支持什么条件。
不幸的是,为限制访问提供的示例是错误的,即包含示例代码的文档中存在错误。
PR 可能是个好主意,这样其他人就不会挂在同样的东西上。