我有一种情况,我需要限制 s3 存储桶以拒绝除提供的 ips 列表之外的所有其他 ips,但也允许访问雪花。由于雪花在一个区域中使用的可能 IP 地址列表很多 - https://ip-ranges.amazonaws.com/ip-ranges.json,我试图查看是否可以提供基于为雪花 s3 阶段创建的雪花角色。我尝试的策略如下所示。
{
"Version": "2012-10-17",
"Id": "SourceIP",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::11111111111:role/snowflake-role"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::s3-bucket"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/snowflake-role"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::s3-bucket/*"
},
{
"Sid": "SourceIP",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3-bucket",
"arn:aws:s3:::s3-bucket/*"
],
"Condition": {
"NotIpAddress": {
"aws:SourceIp": [
"10.10.100.10",
"10.10.100.11",
"10.10.100.12",
"10.10.100.13"
]
}
}
}
]
}
这非常适合阻止其他 IP 地址,但 Snowflake 无法访问。由于“拒绝”可能会拒绝所有 IP 地址,而不管上述雪花的“允许”声明如何,我尝试了如下允许 IP 地址。
{
"Version": "2012-10-17",
"Id": "SourceIP",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::11111111111:role/snowflake-role"
},
"Action": "s3:ListBucket",
"Resource": "arn:aws:s3:::s3-bucket"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111111111111:role/snowflake-role"
},
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": "arn:aws:s3:::s3-bucket/*"
},
{
"Sid": "SourceIP",
"Effect": "Allow",
"Principal": "*",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::s3-bucket",
"arn:aws:s3:::s3-bucket/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": [
"10.10.100.10",
"10.10.100.11",
"10.10.100.12",
"10.10.100.13"
]
}
}
}
]
}
现在雪花可以访问但ip限制不起作用。所有 ip 都可以访问存储桶。有人可以帮我解决我的情况吗?