gpt4 book ai didi

amazon-web-services - 访问单独 ARN 资源问题的角色策略

转载 作者:行者123 更新时间:2023-12-04 18:00:24 27 4
gpt4 key购买 nike

我想添加仅允许 IAM 用户访问少数表的策略。

关注this document

我的政策:

{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:ListPipelines",
"datapipeline:QueryObjects",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:ListTables",
"dynamodb:Query",
"dynamodb:Scan",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"lambda:GetFunctionConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", //commented real name
"arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" //commented real name
]
}
]
}

结果我收到“未授权”消息

enter image description here

但是当我将 Resource 更改为“*”时 - 一切正常。

那么为什么我不能只对单独的表启用完全读取访问权限?

最佳答案

解决方案,感谢 Deepesh S.(来自亚马逊),如下所列

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ResourceBasedActions",
"Action": [
"datapipeline:DescribeObjects",
"datapipeline:DescribePipelines",
"datapipeline:GetPipelineDefinition",
"datapipeline:QueryObjects",
"dynamodb:BatchGetItem",
"dynamodb:DescribeTable",
"dynamodb:GetItem",
"dynamodb:Query",
"dynamodb:Scan",
"lambda:GetFunctionConfiguration"
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>",
"arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>"
]
},
{
"Sid": "NonResourceBasedActions",
"Action": [
"cloudwatch:DescribeAlarmHistory",
"cloudwatch:DescribeAlarms",
"cloudwatch:DescribeAlarmsForMetric",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"datapipeline:ListPipelines",
"dynamodb:ListTables",
"sns:ListSubscriptionsByTopic",
"sns:ListTopics",
"lambda:ListFunctions",
"lambda:ListEventSourceMappings",
"dynamodb:DescribeReservedCapacity",
"dynamodb:DescribeReservedCapacityOfferings"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
]
}

关于amazon-web-services - 访问单独 ARN 资源问题的角色策略,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/36165727/

27 4 0
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com