目标:
创建一个IAM角色策略,仅当角色标签等于Athena资源标签时,该角色才允许角色对Athena资源执行已定义的AWS Athena读取操作。
问题
当用户担任该角色时,将拒绝该用户访问以下策略中定义的Athena读取操作。例如,拒绝用户在AWS控制台和AWS CLI中访问athena:ListWorkGroups。
AWS Athena控制台错误:(在“工作组:主要”部分下)
User: arn:aws:sts::123456789:assumed-role/example-role/example-user is not authorized to perform: athena:ListWorkGroups
使用以下命令进行AWS CLI错误:aws athena list-work-groups --profile example-role-profile
An error occurred (AccessDeniedException) when calling the ListWorkGroups operation: User: arn:aws:sts::123456789:assumed-role/example-role/botocore-session-59458209 is not authorized to perform: athena:ListWorkGroups
看docs,Athena在允许基于标签进行IAM授权的服务列表中。
示例AWS配置:
IAM角色名称=示例角色
IAM角色标签:
foo = bar
Athena工作组标记:
foo = bar
IAM角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:List*",
"athena:Batch*",
"athena:Get*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/foo": "${aws:PrincipalTag/foo}"
}
}
}
]
}
尝试:
在资源标签条件内使用了资源类型:athena:ResourceTag/foo
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"athena:List*",
"athena:Batch*",
"athena:Get*"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"athena:ResourceTag/foo": "${aws:PrincipalTag/foo}"
}
}
}
]
}