亚马逊现在支持能够通过IAM策略在分支机构的基础上限制对CodeCommit存储库的访问。
我已使用下面的策略形式成功拒绝访问特定分支,但无法找到拒绝访问以特定名称开头的所有分支的方法。
即:掌握和开发是特定的分支,但后来我有释放-1,释放-2等我也想否认。
我想要的是能够使用通配符。我试过发布 - *但是没有用。
他们的格式是在“codecommit:References”中包含通配符吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergePullRequestByFastForward"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master",
"refs/heads/develop",
"refs/heads/release-[now what]"
]
},
"Null": {
"codecommit:References": false
}
}
}
]
}
答案 0 :(得分:-1)
这是一个IAM策略,它假设支持此处列出的所有条件运算符:https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html。但由于'GitPush'动作本身涉及场景背后的两个独立动作,为了实现预期的行为,应该使用..IfExists条件运算符族。话虽如此,为了在这种情况下使用通配符,应该使用“StringLikeIfExists”。您的政策可能是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringLikeIfExists": {
"codecommit:References": [
"refs/heads/release-*"
]
},
"Null": {
"codecommit:References": false
}
}
},
{
"Effect": "Deny",
"Action": [
"codecommit:GitPush",
"codecommit:DeleteBranch",
"codecommit:PutFile",
"codecommit:MergePullRequestByFastForward"
],
"Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
"Condition": {
"StringEqualsIfExists": {
"codecommit:References": [
"refs/heads/master",
"refs/heads/prod"
]
},
"Null": {
"codecommit:References": false
}
}
}
] }
这样就可以支持通配符匹配和完全匹配。