如何限制 iam 角色可访问的 ssm 文档以使用标签启动自动化?
How to limit ssm documents accessible by a iam role for start automation using tags?
我有一个可以启动自动化的 iam 角色。我想通过使用标签来限制它可以访问的文档。
我已经添加了这个策略,但它不起作用。
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "ssm:StartAutomationExecution",
"Resource": [
"arn:aws:ssm:*:*:document/*",
"arn:aws:ssm:*:*:automation-definition/*:$DEFAULT"
],
"Condition": {
"StringNotEquals": {
"ssm:resourceTag/Role": "${aws:PrincipalTag/Role}"
}
}
}
]
}```
StartAutomationExecution 操作不支持此条件。
参见 https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html
我有一个可以启动自动化的 iam 角色。我想通过使用标签来限制它可以访问的文档。
我已经添加了这个策略,但它不起作用。
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ssm:StartAutomationExecution"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Deny",
"Action": "ssm:StartAutomationExecution",
"Resource": [
"arn:aws:ssm:*:*:document/*",
"arn:aws:ssm:*:*:automation-definition/*:$DEFAULT"
],
"Condition": {
"StringNotEquals": {
"ssm:resourceTag/Role": "${aws:PrincipalTag/Role}"
}
}
}
]
}```
StartAutomationExecution 操作不支持此条件。
参见 https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awssystemsmanager.html