我需要多个 IAM 角色(最多 100 个)才能使用此 KMS 密钥。而不是在 KMS 密钥策略中列出所有 IAM 角色。有什么办法可以通配符或条件它吗?
{
"Sid": "Enable IAM Role",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a1",
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a2",
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a3"
............
"AWS": "arn:aws:iam::xxxxxxxxxx:role/a100"
},
"Action": "kms:*",
"Resource": "*"
}
我尝试使用 arn:aws:iam::xxxxxxxxxx:root 或使用 stringLike, sourceArn,"arn:aws:iam::xxxxxxxxxx:role/a*" 的条件
但它们都不起作用。
想问问是否有其他选择,而不是列出所有 iam 角色?
这会帮助你
{
"Sid": "Enable IAM Role",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "kms:*",
"Resource": "*",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": "arn:aws:iam::xxxxxxxxxx:role/a1*"
}
}
}
| 归档时间: |
|
| 查看次数: |
2365 次 |
| 最近记录: |