小贝子编程

redshift:GetClusterCredentials + dbuser + ${aws:username}



我遇到了一个问题。其想法是使用AWS Redshift查询控制台中的临时凭据将联合(IDP)AWS用户名作为登录名传递给Redshift。但是用户应该只能连接到他的Redshift用户id。为了使用它,我们做了这样一个代码。Redshift在用户之前已经全部创建。

{
"Sid": "Sid",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:eu-west-1:account_number:dbuser:cluster_name/${aws:username}",
"arn:aws:redshift:eu-west-1:account_number:dbname:cluster_name/db_name"
]
}

但是Redshift在用户id(useid = "user_test")中只使用小写字母,而${aws:username}只返回大写字母("USER_TEST")。在我们的情况下,我们不能更改${aws:username}中的值,因为它最终来自IDP服务。有可能以某种方式使一个表达式相等吗?

谢谢!Ivan

IAM条件下的StringEqualsIgnoreCase可以帮助:

{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "redshift:GetClusterCredentials",
"Resource": [
"arn:aws:redshift:eu-west-1:account_id:dbname:cluster_name/db_name",
"arn:aws:redshift:eu-west-1:account_id:dbuser:cluster_name/${redshift:DbUser}"
],
"Condition": {
"StringEqualsIgnoreCase": {
"aws:userid": "role_id:${redshift:DbUser}"
}
}
},

这适用于与aws用户的aws:username:匹配的db用户名

{
Sid      = "VisualEditor2"
Effect   = "Allow"
Action   = "redshift:GetClusterCredentials"
Resource = [
"arn:aws:redshift:*:123456789101:dbname:clusterid/dbid",
"arn:aws:redshift:*:123456789101:dbuser:clusterid/${redshift:dbUser}"
]
Condition = {
StringEqualsIgnoreCase = {
"aws:username" = "${redshift:dbUser}"
}
}
}

相关内容

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium