java - AWS Java SDK 错误 - IAM 用户的 withPermissionsBoundary

Question

使用适用于 JAVA 的 AWS 开发工具包，我想限制对单个存储桶文件夹的访问。当我尝试运行此代码以将权限分配给新的 IAM 用户时:

final AmazonIdentityManagement client = AmazonIdentityManagementClientBuilder
            .standard()
            .withCredentials(new AWSStaticCredentialsProvider(credentials))
            .withRegion(Regions.US_EAST_2)
            .build();

    try {                       
        String permissionsBoundary = 
        "{" + 
        "\"Version\": \"2012-10-17\"," + 
        "  \"Statement\": [" +
        "    {" + 
        "      \"Effect\": \"Allow\"," + 
        "      \"Action\": "+
        "       [" + 
        "        \"s3:PutObject\"," + 
        "        \"s3:GetObject\"," + 
        "        \"s3:DeleteObject\"" + 
        "      ]," + 
        "      \"Resource\": \"arn:aws:s3:::mybucket/*\"" + 
        "    }" + 
        "  ]" + 
        "}";

        CreateUserRequest request = new CreateUserRequest()
                .withUserName(usernameIAM)
                .withPermissionsBoundary(permissionsBoundary);
        CreateUserResult response = client.createUser(request);     

我收到此错误:

ARN {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"arn:aws:s3:::*"}]} is not valid. (Service: AmazonIdentityManagement; Status Code: 400; Error Code: InvalidInput; Request ID: ...xxxxxxxxxxxx...)[Ljava.lang.StackTraceElement;@2f3a60a1

我关注了这个 Amazon IAM Policy

withPermissionsBoundary 方法的正确用法是什么以及如何正确定义规则？

Answer 1

错误消息如下:

ARN 
{
    "Version": "2012-10-17",
    "Statement": [{
            "Effect": "Allow",
            "Action": "s3:ListAllMyBuckets",
            "Resource": "arn:aws:s3:::*"
        }
    ]
}
is not valid.

这显然不是有效的 ARN，因为它根本不是 ARN，而是一项策略。你的代码中哪里使用了这个？无论在何处使用，您都需要将其替换为正确的 ARN。