无法为用户分配amplify:ListDomainAssociations

时间:2019-03-21 08:45:02

标签: amazon-web-services amazon-iam aws-amplify

我需要允许开发人员使用除创建,删除和更新域关联之外的所有权限访问AWS Amplify服务。我制定了以下政策

{5,10}

此策略是使用可视编辑器生成的。 如您所见,我在{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "amplify:ListDomainAssociations", "amplify:CreateBranch", "amplify:ListBranches", "amplify:GetApp", "amplify:UpdateApp" ], "Resource": [ "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*" ] }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": [ "amplify:GetBranch", "amplify:ListJobs", "amplify:DeleteBranch", "amplify:UpdateBranch" ], "Resource": "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*" }, { "Sid": "VisualEditor2", "Effect": "Allow", "Action": [ "amplify:GetJob", "amplify:GetDomainAssociation", "amplify:DeleteJob", "amplify:StartJob", "amplify:StopJob" ], "Resource": [ "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*/jobs/*", "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/domains/*" ] }, { "Sid": "VisualEditor3", "Effect": "Allow", "Action": [ "amplify:CreateApp", "amplify:ListApps" ], "Resource": "*" } ] } 上允许amplify:ListDomainAssociations

我将策略附加到用户,但是当他通过浏览器登录AWS控制台时,出现此错误

arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*

我看到错误消息内的资源名称中User: arn:aws:iam::26XXXXXXXXXX:user/tp_amplifyPermissionTest is not authorized to perform: amplify:ListDomainAssociations on resource: arn:aws:amplify:us-east-1:26XXXXXXXXXX:user:/apps/d1xxxxxxxxxxxx/domains的后面紧跟着/,而我的策略arn资源名称中没有:。因此,我尝试添加该内容,允许/用于以下资源amplify:ListDomainAssociations,但说arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*是意外的,因此我无法保存。

我还尝试了如下编辑资源

/

但仍然没有成功。 知道哪里出问题了吗?

1 个答案:

答案 0 :(得分:0)

在AWS上似乎有些混乱。某些Resources应该与:app添加在一起,而其他的应该与:/app添加在一起。这是我修改政策的方式

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "amplify:ListDomainAssociations",
                "amplify:CreateBranch",
                "amplify:ListBranches",
                "amplify:GetApp",
                "amplify:UpdateApp"
            ],
            "Resource": [
                "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*",
                "arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "amplify:GetBranch",
                "amplify:ListJobs",
                "amplify:DeleteBranch",
                "amplify:UpdateBranch"
            ],
            "Resource": [
                "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*",
                "arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*/branches/*"
            ]
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "amplify:GetJob",
                "amplify:GetDomainAssociation",
                "amplify:DeleteJob",
                "amplify:StartJob",
                "amplify:StopJob"
            ],
            "Resource": [
                "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*/jobs/*",
                "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/domains/*",
                "arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*/branches/*/jobs/*",
                "arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*/domains/*"
            ]
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "amplify:CreateApp",
                "amplify:ListApps"
            ],
            "Resource": "*"
        }
    ]
}

这对我有用

相关问题
最新问题