STS 角色 信任关系
STS Role Trust relationship
我已经使用
在目标帐户中定义了信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
我想添加一个条件,以便在使用联盟 (STS) 时仅允许特定用户访问此帐户。所以我将信任关系修改为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:user-name": "[USER-NAME-FROM-SOURCE-ACCOUNT]"
}
}
}
]
}
但是,这个条件没有得到评估。在这种情况下 aws:user-name 是否适合验证此条件?
参考:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
如果指定用户 arn,实际上可以在 principal 字段中指定特定用户,例如:
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/<username>"
},
我已经使用
在目标帐户中定义了信任关系{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
我想添加一个条件,以便在使用联盟 (STS) 时仅允许特定用户访问此帐户。所以我将信任关系修改为:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:user-name": "[USER-NAME-FROM-SOURCE-ACCOUNT]"
}
}
}
]
}
但是,这个条件没有得到评估。在这种情况下 aws:user-name 是否适合验证此条件?
参考:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html
如果指定用户 arn,实际上可以在 principal 字段中指定特定用户,例如:
"Principal": {
"AWS": "arn:aws:iam::123456789012:user/<username>"
},