代码之家 › 专栏 › 技术社区 › hbk

访问单独ARN资源问题的角色策略

amazon-policy amazon-dynamodb amazon amazon-web-services

hbk · 技术社区 · 8 年前

我想添加只允许访问少数表的IAM用户的策略。

我的政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:ListPipelines",
                "datapipeline:QueryObjects",
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:ListTables",
                "dynamodb:Query",
                "dynamodb:Scan",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", //commented real name
                "arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" //commented real name
            ]
        }
    ]
}

结果我收到了“未自动”的消息

但当我将Resource更改为“*”时,一切都会正常。

那么,为什么我不能仅对单独的表启用完全读取访问?

1 回复 | 直到 8 年前

hbk 8 年前

解决方案,感谢 迪普什S。 (来自亚马逊),如下所示

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ResourceBasedActions",
            "Action": [
                "datapipeline:DescribeObjects",
                "datapipeline:DescribePipelines",
                "datapipeline:GetPipelineDefinition",
                "datapipeline:QueryObjects",
                "dynamodb:BatchGetItem",
                "dynamodb:DescribeTable",
                "dynamodb:GetItem",
                "dynamodb:Query",
                "dynamodb:Scan",
                "lambda:GetFunctionConfiguration"
            ],
            "Effect": "Allow",
            "Resource": [
                 "arn:aws:dynamodb:eu-west-1: xxxxxxxxxxxx:table:table/<TableName>", 
                "arn:aws:dynamodb:eu-west-1:xxxxxxxxxxxx:table/<TableName>" 
            ]
        },
        {
            "Sid": "NonResourceBasedActions",
            "Action": [
                "cloudwatch:DescribeAlarmHistory",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:DescribeAlarmsForMetric",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "datapipeline:ListPipelines",
                "dynamodb:ListTables",
                "sns:ListSubscriptionsByTopic",
                "sns:ListTopics",
                "lambda:ListFunctions",
                "lambda:ListEventSourceMappings",
                "dynamodb:DescribeReservedCapacity",
                "dynamodb:DescribeReservedCapacityOfferings"
            ],
            "Effect": "Allow",
            "Resource": [
                "*"
            ]
        }
    ]
}