我有一个秘密,我只想读两个角色。
我设置了机密策略来反映这一点,但是其他角色仍然能够读取我的机密值。 例如我的管理员角色
我将如何明确拒绝其他所有角色?
resource "aws_secretsmanager_secret" "mysecret" {
name = "tch/abc/mysecret"
policy = data.aws_iam_policy_document.mysecret_secret_assume.json
}
data aws_iam_policy_document "mysecret_secret_assume" {
statement [
{
effect = "Allow"
principals {
identifiers = ["${aws_iam_role.setter.arn}"]
type = "AWS"
}
actions = [
"secretsmanager:ListSecrets",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:PutSecretValue",
"secretsmanager:UpdateSecretVersionStage",
"secretsmanager:UpdateSecret",
"secretsmanager:GetSecret"
]
resources = ["*"]
},
{
effect = "Allow"
principals {
identifiers = "arn:aws:iam::${local.account}:role/Terraform"
type = "AWS"
}
actions = [
"secretsmanager:GetSecret",
"secretsmanager:GetSecretValue",
"secretsmanager:ListSecrets"
]
resources = ["*"]
}
]
}
答案 0 :(得分:1)
我假设您的管理员角色是由IAM策略创建的,通常,管理员角色具有所有权限。这意味着当您没有秘密资源策略声明有关管理员角色的任何内容时,它将遵循IAM策略的许可。 您可以尝试添加一条语句,例如:
{
effect = "Deny"
principals {
identifiers = $here put your admin role identifier$,
type = "AWS"
}
actions = [
"secretsmanager:*"
]
resources = ["*"]
},