STS角色信任关系

时间:2019-05-29 10:30:21

标签: amazon-web-services amazon-iam aws-sts

我已经在目标帐户中使用定义了信任关系

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

我想添加一个条件,以在使用联合身份验证(STS)时仅允许特定用户访问此帐户。因此,我将信任关系修改为:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:user-name": "[USER-NAME-FROM-SOURCE-ACCOUNT]"
        }
      }
    }
  ]
}

但是,这种情况没有得到评估。在这种情况下,aws:user-name正确吗?

参考:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html

1 个答案:

答案 0 :(得分:1)

如果您指定了用户名,则实际上可以在主体字段中指定特定用户,例如:

"Principal": { 
  "AWS": "arn:aws:iam::123456789012:user/<username>" 
},
相关问题
最新问题