角色策略以访问单独的ARN资源问题

时间:2016-03-22 21:37:45

标签: amazon-web-services amazon amazon-dynamodb amazon-policy

我想添加允许IAM用户访问少数几个表的策略。

关注this document

我的政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:ListPipelines",
                "datapipeline:QueryObjects",
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:ListTables",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", //commented real name
                "arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" //commented real name
            ]
        }
    ]
}

结果我得到了“Not Autorized”消息

enter image description here

但是当我将资源更改为“*”时 - 一切正常。

那么为什么我不能只对单独的表启用完全读访问权?

1 个答案:

答案 0 :(得分:1)

解决方案,感谢 Deepesh S。(来自亚马逊),如下所列

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceBasedActions",
            "Action": [
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:QueryObjects",
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                 "arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", 
                "arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" 
            ]
        },
        {
            "Sid": "NonResourceBasedActions",
            "Action": [
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "datapipeline:ListPipelines",
                "dynamodb:ListTables",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ]
}
相关问题
最新问题