soh*_*pme 5 amazon-dynamodb amazon-iam
是否可以创建仅针对特定表提供对DynamoDB控制台的访问的AWS IAM策略?我试过了:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt0000000001",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTables",
<other actions>
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:<region>:<account>:table/FooTable",
"arn:aws:dynamodb:<region>:<account>:table/BarTable"
]
}
]
}
但对于附加了此策略的用户,DynamoDB表列表显示"未授权"(与未附加策略时一样).
将"Resource"设置为"*"并添加如下所示的新语句允许用户在FooTable和BarTable上执行<other actions>,但是他们也可以查看表列表中的所有其他表.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt0000000001",
"Action": [
<other actions>
],
"Effect": "Allow",
"Resource": [
"arn:aws:dynamodb:<region>:<account>:table/FooTable",
"arn:aws:dynamodb:<region>:<account>:table/BarTable"
]
},
{
"Sid": "Stmt0000000002",
"Action": [
"dynamodb:DescribeTable",
"dynamodb:ListTables"
],
"Effect": "Allow",
"Resource": "*"
}
]
}
对于坏消息感到抱歉,但AWS管理控制台需要对整个DynamoDB提供权限DescribeTable和ListTables权限才能正常运行.
但是,有一个小的解决方法...您可以为控制台用户提供一个URL,将其直接带到表中,并且可以正常运行以查看和添加项目等.
只需从具有正确权限的用户复制URL,例如:
https://REGION.console.aws.amazon.com/dynamodb/home?region=REGION#explore:name=TABLE-NAME
| 归档时间: |
|
| 查看次数: |
3365 次 |
| 最近记录: |