mi5*_*ded 0 amazon-s3 amazon-web-services amazon-iam
我正在尝试在 S3 存储桶策略中使用 IAM 全局条件键aws:PrincipalOrgPaths,但我不断收到“拒绝访问”错误。我可以很好地使用密钥aws:PrincipalOrgID。下面的消毒桶策略是我正在尝试使用的。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MyOrgOnly",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::thebucketofmydreams",
"arn:aws:s3:::thebucketofmydreams/*"
],
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": "o-funny/r-stuff/ou-path"
}
}
}
]
}
所以,最终的答案是这是一个语法错误。PrincipalOrgPaths 需要方括号,即使它是单个实体。如果您尝试这样做,您会注意到一旦被接受,方括号将从最终政策中删除。谢谢,AWS!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MyOrgOnly",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::thebucketofmydreams",
"arn:aws:s3:::thebucketofmydreams/*"
],
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": ["o-funny/r-stuff/ou-path"]
}
}
}
]
}
| 归档时间: |
|
| 查看次数: |
411 次 |
| 最近记录: |