Ric*_*ong 13 amazon-dynamodb amazon-iam
我有一个 Amazon dynamodb 表,分区键由用户的 id(来自 facebook 或 google)和其他字符组成。我知道通配符可用于指定细粒度访问策略的属性,但我无法在dynamodb:LeadingKeys工作中使用通配符。
以下是工作方针:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"g_${accounts.google.com:sub}"
]
}
}
}
]
}
但是,这不起作用:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"*_${accounts.google.com:sub}"
]
}
}
}
]
}
Ric*_*ong 24
我找到了解决方案。因此,不要使用ForAllValues:StringEquals,而是使用ForAllValues:StringLike.
工作方针是这样的:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"*_${accounts.google.com:sub}"
]
}
}
}
]
}
我花了一段时间才找到这个参考:http : //docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolicyLanguage_ConditionType
| 归档时间: |
|
| 查看次数: |
3531 次 |
| 最近记录: |