IAM 策略问题我只想附加一个策略并拒绝其他策略
IAM policy problem I want to attach only one policy and deny others
我制定了如下政策。我只想允许使用 snowflake_access 策略的 CreateRole。每次执行 lambda 代码时,我还可以将其他策略附加到此角色。我不知道为什么,因为很明显我拒绝了其他政策,只允许一个。有人可以帮我吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateRole",
"Resource": "arn:aws:iam::*:role/snowflake-role*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::7882...:policy/snowflake_access",
"arn:aws:iam::*:role/snowflake-role*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": "iam:*",
"Resource": [
"arn:aws:iam::*:role/snowflake-role*"
]
}
]
}
如果您查看 actions defined by IAM,您会看到 table 将操作映射到资源类型和条件键等。例如:
Action
Resource Type(s)
Condition Keys
AttachRolePolicy
role*
iam:PolicyARN
iam:PermissionsBoundary
CreateRole
role*
iam:PermissionsBoundary
aws:TageKeys
aws:RequestTage/${TagKey}
请特别注意,AttachRolePolicy 操作仅适用于 IAM 角色,不适用于策略。您指定了角色 ARN (snowflake-role*) 和策略 ARN (snowflake_access),但只有前者是此处合法。
相同的 table 条目还表明 iam:PolicyARN 是 AttachRolePolicy 操作的有效条件键。因此,要指示策略 ARN,您可以添加 iam:PolicyARN 的条件键,如下所示。
{
"Sid": "sid1",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::*:role/snowflake-role*"
],
"Condition": {
"StringEquals": {
"iam:PolicyARN": "arn:aws:iam::7882...:policy/snowflake_access"
}
}
},
我不确定这是否能解决您遇到的所有问题,但我认为这是问题的一部分。
我制定了如下政策。我只想允许使用 snowflake_access 策略的 CreateRole。每次执行 lambda 代码时,我还可以将其他策略附加到此角色。我不知道为什么,因为很明显我拒绝了其他政策,只允许一个。有人可以帮我吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateRole",
"Resource": "arn:aws:iam::*:role/snowflake-role*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::7882...:policy/snowflake_access",
"arn:aws:iam::*:role/snowflake-role*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": "iam:*",
"Resource": [
"arn:aws:iam::*:role/snowflake-role*"
]
}
]
}
如果您查看 actions defined by IAM,您会看到 table 将操作映射到资源类型和条件键等。例如:
| Action | Resource Type(s) | Condition Keys |
|---|---|---|
| AttachRolePolicy | role* | iam:PolicyARN iam:PermissionsBoundary |
| CreateRole | role* | iam:PermissionsBoundary aws:TageKeys aws:RequestTage/${TagKey} |
请特别注意,AttachRolePolicy 操作仅适用于 IAM 角色,不适用于策略。您指定了角色 ARN (snowflake-role*) 和策略 ARN (snowflake_access),但只有前者是此处合法。
相同的 table 条目还表明 iam:PolicyARN 是 AttachRolePolicy 操作的有效条件键。因此,要指示策略 ARN,您可以添加 iam:PolicyARN 的条件键,如下所示。
{
"Sid": "sid1",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::*:role/snowflake-role*"
],
"Condition": {
"StringEquals": {
"iam:PolicyARN": "arn:aws:iam::7882...:policy/snowflake_access"
}
}
},
我不确定这是否能解决您遇到的所有问题,但我认为这是问题的一部分。