Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
742 views
in Technique[技术] by (71.8m points)

amazon web services - Granting access to S3 resources based on role name

IAM policy variables are quite cool and let you create generic policys to, for example, give users access to paths in an S3 bucket based on their username, like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files/${aws:username}/*"
        },
        {
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files"
        }
    ]
}

My question is, how can this be done using roles (attached to EC2 instances) instead of user accounts?

I have a number of app servers with unique IAM user accounts that are linked to a generic policy similar to the one above. This isolates the files accessible by each user/app without creating multiple policies.

I want switch these servers to use roles instead but there doesn't seem to be an equivalent IAM variable like aws:rolename.

The docs indicate that when using a role assigned to an EC2 instance the aws:username variable isn't set and aws:userid is [role-id]:[ec2-instance-id] (which isn't helpful either).

This really seems like something you should be able to do.. or am I coming at this the wrong way?

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

I've been looking for the same and after a lot of searching my conclusion was that it is not possible to use the role name as a variable in a IAM policy (I'd love to be proven wrong though).

Instead, I tagged my role with a name and ended up with this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": ["s3:GetObject","s3:PutObject","s3:DeleteObject"],
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files/${aws:PrincipalTag/name}/*"
        },
        {
            "Action": "s3:ListBucket",
            "Effect": "Allow",
            "Resource": "arn:aws:s3:::fooCorp-user-files"
        }
    ]
}

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...