1

我对我假设的 IAM 角色有以下政策:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::mybucket/${aws:RequestTag/personalid}/*"
        }
    ]
}

执行承担角色时,我正在传递标签:

response = sts_client.assume_role(
       RoleArn=arn,
       RoleSessionName=role_session_name,
       Tags=[
          {
             'Key': 'personalid',
             'Value':'a'
          },
       ])

但是当我尝试读取文件夹“a”下的对象时,访问被拒绝:

    s3 = boto3.resource(
      's3',
      aws_access_key_id=response['Credentials']['AccessKeyId'],
      aws_secret_access_key=response['Credentials']['SecretAccessKey'],
      aws_session_token=response['Credentials']['SessionToken'],
      region_name=client_main_region
   )
    obj = s3.Object('mybucket', f'a/file.txt')
    print(obj.get()['Body'].read().decode('utf-8'))

我已经用“principalTag”替换了该策略,同时为角色添加了一个标签,并且它有效 - 我做错了什么?

=====

我尝试的另一件事是使用该 ID 标记 s3 对象,并使用以下策略:

{
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket",
                "s3:GetObject"
            ],
            "Condition": {
                "StringEqualsIfExists": {
                    "aws:RequestTag/personalid": "${s3:ExistingObjectTag/personalid}"
                }
            },
            "Resource": "arn:aws:s3:::mybucket/*"
        }

不工作

4

1 回答 1

1

如果有人寻找这个 - 显然信任关系应该声明这些标签 - 所以它们将可用:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123:role/lambda_role"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123:role/lambda_role"
      },
      "Action": "sts:TagSession",
      "Condition": {
        "StringLike": {
          "aws:RequestTag/personalid": "*"
        }
      }
    }
  ]
}

然后,我可以将此标签用作假定角色的主要标签:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject"
            ],
            "Resource": "arn:aws:s3:::mybucket/${aws:PrincipalTag/personalid}/*"
        }
    ]
}
于 2020-07-02T07:32:00.960 回答