0

我在目标帐户中定义了信任关系,使用

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

我想添加一个条件以仅允许特定用户在使用联合 (STS) 时访问此帐户。所以我将信任关系修改为:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::[SOURCE_ACCOUNT_NUMBER]:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "Bool": {
          "aws:user-name": "[USER-NAME-FROM-SOURCE-ACCOUNT]"
        }
      }
    }
  ]
}

但是,这种情况没有得到评估。aws:user-name在这种情况下验证这个条件是否正确?

参考:https ://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user.html

4

1 回答 1

2

如果您指定用户 arn,您实际上可以在主体字段中指定特定用户,例如:

"Principal": { 
  "AWS": "arn:aws:iam::123456789012:user/<username>" 
},
于 2019-05-29T10:38:37.140 回答