目标:
创建一个IAM角色策略,仅当角色标签等于资源标签时,该角色才允许角色对AWS资源执行已定义的操作。
例如:
IAM标签:
foo = bar
CodeBuild项目标签:
foo = bar
IAM角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:List*",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codebuild:BatchGet*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/foo": "${aws:PrincipalTag/foo}"
}
}
}
]
}
当用户担任角色时,在与AWS控制台和AWS CLI中的角色具有相同codebuild:ListProjects密钥对的项目上,拒绝该用户访问foo=bar。
AWS控制台错误:
User: arn:aws:sts::123456789:assumed-role/example-role/example-user is not authorized to perform: codebuild:ListProjects
使用以下命令进行AWS CLI错误:aws codebuild list-projects --profile test
An error occurred (AccessDeniedException) when calling the ListProjects operation: User: arn:aws:sts::123456789:assumed-role/example-role/botocore-session-59458209 is not authorized to perform: codebuild:ListProjects
尝试:
#1
在策略条件下使用实际的密钥对值:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:List*",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codebuild:BatchGet*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/foo": "bar"
}
}
}
]
}
在AWS控制台上对codebuild:ListProjects的访问被拒绝错误的结果
#2
从aws:PrincipalTag/foo移除aws关键括号(从此处射击臀部)
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:List*",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codebuild:BatchGet*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/foo": "aws:PrincipalTag/foo"
}
}
}
]
}
#3
在资源标签条件codebuild:ResourceTag/foo中使用了资源类型
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"codebuild:List*",
"codebuild:DescribeTestCases",
"codebuild:DescribeCodeCoverages",
"codebuild:BatchGet*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"codebuild:ResourceTag/foo": "${aws:PrincipalTag/foo}"
}
}
}
]
}
aws控制台上的相同codebuild:ListProjects访问被拒绝错误
答案 0 :(得分:1)