I have an IAM role to be attached to a microservice in order to limit S3 folder access based on user-agent. The microservice parent account and the bucket owner are the same.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::bucket-test/service/${aws:useragent}/*"
]
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::bucket-test"
],
"Condition": {
"StringLike": {
"s3:prefix": [
"service/${aws:useragent}/*"
]
}
}
}
]
}
Run Code Online (Sandbox Code Playgroud)
The same S3 bucket has …
我正在使用 boto3 创建一些测试来验证 S3 存储桶上的微服务访问策略。
铲斗设置:
test-bucket/
service/
micro-a/
micro-b/
Run Code Online (Sandbox Code Playgroud)
此存储桶策略旨在限制对具有指定角色的人员的访问:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessIfInThisRole",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotLike": {
"aws:userid": "*role-id*"
}
}
}
]
}
Run Code Online (Sandbox Code Playgroud)
角色 ID 引用此 IAM 角色,该角色根据微服务用户代理授予对存储桶中每个微服务特定文件夹的访问权限,即微服务 A 的用户代理可能是“micro-a”,因此应该有权访问但不能test-bucket/service/micro-a/*访问test-bucket/service/micro-b/*:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::as-bucket-test/service/${aws:useragent}/*"
]
},
{
"Sid": "AllowListingOfUserFolder",
"Action": [
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::as-bucket-test"
],
"Condition": …Run Code Online (Sandbox Code Playgroud)