我希望你能帮助我。我读过夫妻 的 文档现在,我仍然不确定这是否真的有效。
我想根据 S3 标签为 AWS 用户提供不同级别的访问权限。
例子:
- S3 存储桶
mybucket具有标签{"access-team-dev": "rwd"},这应该导致“开发”团队具有“读取、写入、删除”访问权限。 - 每个团队一个标签,值是访问级别。
我已经尝试过此 IAM 策略的至少 10 种不同组合:
[
{
"Action": [ "a lot of actions removed for brevity" ],
"Condition": {
"StringEquals": {"aws:ResourceTag/access-team-dev": ["list","ro","rw","rwd"]}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [ "a lot of actions removed for brevity" ],
"Condition": {
"StringEquals": {"aws:ResourceTag/access-team-dev": ["ro","rw","rwd"]}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [ "a lot of actions removed for brevity" ],
"Condition": {
"StringEquals": {"aws:ResourceTag/access-team-dev": ["rw","rwd"]}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [ "a lot of actions removed for brevity" ],
"Condition": {
"StringEquals": {"aws:ResourceTag/access-team-dev": ["rwd"]}
},
"Effect": "Allow",
"Resource": "*"
}
]
...但没有任何效果。
该策略通过 IAM 组分配给用户,测试存储桶标记为“access-team-dev”:“rwd”。
两个问题:
- 那样有用吗根本??
- 如果是,我做错了什么???
真的很令人沮丧,因为根据文档 - 如果我没看错的话 - 这应该工作吧?
提前感谢大家的回答!