我在秘密管理器中有一个秘密,并且系统中有多个 IAM 角色。我只想要一个角色来访问这个秘密。不幸的是,还有一些其他 IAM 角色拥有完整的 Secrets Manager 权限。所以我想限制对所有其他角色的秘密访问,除了我想要的角色。
角色
- IAM_role_that_need_to_access_the_secret。
- IAM_role_1_that_should_not_access_the_secret。
- IAM_role_2_that_should_not_access_the_secret。
以下正在工作。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Principal": {
"AWS": "arn:aws:iam::IAM_role_1_that_should_not_access_the_secret",
"AWS": "arn:aws:iam::IAM_role_2_that_should_not_access_the_secret"
},
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"secretsmanager:VersionStage": "AWSCURRENT"
}
}
}
]
}
但我想拒绝访问所有角色,而无需在拒绝权限部分明确提及每个角色。像下面的东西。但它将仅限于所有角色,包括所需的角色。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "secretsmanager:GetSecretValue",
"Principal": {"AWS": "*"},
"Resource": "*"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"secretsmanager:VersionStage": "AWSCURRENT"
}
}
}
]
}