我遇到了一个问题。其想法是使用AWS Redshift
查询控制台中的临时凭据将联合(IDP)
AWS
用户名作为登录名传递给Redshift
。但是用户应该只能连接到他的Redshift用户id。为了使用它,我们做了这样一个代码。Redshift
在用户之前已经全部创建。
{
"Sid": "Sid",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:eu-west-1:account_number:dbuser:cluster_name/${aws:username}",
"arn:aws:redshift:eu-west-1:account_number:dbname:cluster_name/db_name"
]
}
但是Redshift
在用户id(useid = "user_test")
中只使用小写字母,而${aws:username}
只返回大写字母("USER_TEST")
。在我们的情况下,我们不能更改${aws:username}
中的值,因为它最终来自IDP
服务。有可能以某种方式使一个表达式相等吗?
谢谢!Ivan
IAM条件下的StringEqualsIgnoreCase可以帮助:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:eu-west-1:account_id:dbname:cluster_name/db_name",
"arn:aws:redshift:eu-west-1:account_id:dbuser:cluster_name/${redshift:DbUser}"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:userid": "role_id:${redshift:DbUser}"
}
}
},
这适用于与aws用户的aws:username
:匹配的db用户名
{
Sid = "VisualEditor2"
Effect = "Allow"
Action = "redshift:GetClusterCredentials"
Resource = [
"arn:aws:redshift:*:123456789101:dbname:clusterid/dbid",
"arn:aws:redshift:*:123456789101:dbuser:clusterid/${redshift:dbUser}"
]
Condition = {
StringEqualsIgnoreCase = {
"aws:username" = "${redshift:dbUser}"
}
}
}