我尝试根据以下示例提供政策:https://docs.aws.amazon.com/systems-manager/latest/userguide/getting-started-restrict-access-examples.html
但是,我不断收到警告,但它不起作用。
到目前为止,这些都是我尝试过的:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
或
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"arn:aws:ec2:*:*:instance": [
"i-myInstanceId1",
"i-myInstanceId2"
]
}
}
}
]
}
或者甚至我尝试使用更多基于资源的条件。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowStartSessionExceptProd",
"Effect": "Allow",
"Action": [
"ssm:StartSession"
],
"Resource": "*",
"Condition": {
"StringNotLike": {
"ssm:resourceTag/environment": [
"prod",
"Prod"
],
"arn:aws:ec2:*:*:resourceTag/environment": [
"prod",
"Prod"
],
"ec2:resourceTag/environment": [
"prod",
"Prod"
]
}
}
}
]
}
通常,我要做的就是允许访问在不是prod服务器的服务器上的SSM中启动会话。
我的EC2产品服务器都带有标签environment:prod
在每种无效的情况下,我都会收到一条错误消息:
There are no actions in your policy that support this condition key.
示例:
ec2:resourceTag /environment (StringNotLike prod and Prod)
There are no actions in your policy that support this condition key.
感谢您的帮助。
答案 0 :(得分:1)
从评论和一些调查中,可以找到答案:
在docs中,很容易注意到哪些操作支持什么条件。
不幸的是,为“限制访问”提供的示例是错误的,即,包含示例代码的文档中存在错误。
PR可能是个好主意,因此其他人不会坚持下去。