如何在 AWS IAM 策略中为联合用户提供对 lambda 执行的选择性访问?
How to provide selective access for lambda execution to a federated user in AWS IAM policy?
我正在尝试向组内的 select 成员授予 lambda 执行权限。用户通过 PingFederate 进行身份验证。我在向联合用户授予 selective 访问权限时遇到问题。
我有一个附加到此角色的自定义 IAM 策略 (allow-lambda-invocation-selective)。尽管该策略似乎通过了验证并且策略模拟显示允许访问,但当我尝试执行 lambda 函数时,我收到消息
Calling the invoke API action failed with this message: User:arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:123456789012:function:my-lambda-function
这是我的策略:allow-lambda-invocation-selective
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
}
]
}
我是不是漏掉了什么?
我正在尝试了解您的问题。如果我做出了错误的假设,请纠正我。
- 每个group/user已经有自己的角色。
当您对用户进行身份验证时,他们将扮演自己的角色。 myuser1234,通过身份验证后,将获得arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234角色,对吗?是否可以为每个组创建一个角色并删除 conditions 属性(检查第 2 项解释原因)?
// role-for-grp-l2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*"
}
]
}
aws:userid
读取关于键 aws:userid 的 docs 我们可以发现这个键的值由 role id:caller-specified-role-name,
where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRole request.
所以 aws:userid 的值类似于 AIDAJQABLZS4A3QDU576Q:SomeNameYouGive。因此,您的条件永远不会匹配 arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234,然后用户无法采取该操作。
- 以另一种方式使用条件
假设RoleSessionName是用户名,可以这样使用条件:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
}
]
}
如果您愿意,您可以使用 AWS CLI 和命令删除 * 通配符获取 role id:
aws iam get-role --role-name ROLE_NAME
并改变条件如下:
"Condition": {
"StringEquals": {
"aws:userid": "ROLE_ID:myuser1234"
}
}
我正在尝试向组内的 select 成员授予 lambda 执行权限。用户通过 PingFederate 进行身份验证。我在向联合用户授予 selective 访问权限时遇到问题。
我有一个附加到此角色的自定义 IAM 策略 (allow-lambda-invocation-selective)。尽管该策略似乎通过了验证并且策略模拟显示允许访问,但当我尝试执行 lambda 函数时,我收到消息
Calling the invoke API action failed with this message: User:arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234 is not authorized to perform: lambda:InvokeFunction on resource: arn:aws:lambda:us-east-1:123456789012:function:my-lambda-function
这是我的策略:allow-lambda-invocation-selective
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:userid": "arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234"
}
}
}
]
}
我是不是漏掉了什么?
我正在尝试了解您的问题。如果我做出了错误的假设,请纠正我。
- 每个group/user已经有自己的角色。
当您对用户进行身份验证时,他们将扮演自己的角色。 myuser1234,通过身份验证后,将获得arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234角色,对吗?是否可以为每个组创建一个角色并删除 conditions 属性(检查第 2 项解释原因)?
// role-for-grp-l2
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*"
}
]
}
aws:userid的问题
读取关于键 aws:userid 的 docs 我们可以发现这个键的值由 role id:caller-specified-role-name,
where role id is the unique id of the role and the caller-specified-role-name is specified by the RoleSessionName parameter passed to the AssumeRole request.
所以 aws:userid 的值类似于 AIDAJQABLZS4A3QDU576Q:SomeNameYouGive。因此,您的条件永远不会匹配 arn:aws:sts::123456789012:assumed-role/role-for-grp-l2/myuser1234,然后用户无法采取该操作。
- 以另一种方式使用条件
假设RoleSessionName是用户名,可以这样使用条件:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"lambda:InvokeFunction",
"lambda:InvokeAsync",
"lambda:ListVersionsByFunction",
"lambda:GetFunction",
"lambda:ListAliases"
],
"Resource": "arn:aws:lambda:*:123456789012:function:my-lambda-function",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:ListLayers",
"lambda:ListLayerVersions"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:userid": "*:myuser1234"
}
}
}
]
}
如果您愿意,您可以使用 AWS CLI 和命令删除 * 通配符获取 role id:
aws iam get-role --role-name ROLE_NAME
并改变条件如下:
"Condition": {
"StringEquals": {
"aws:userid": "ROLE_ID:myuser1234"
}
}