我想限制iam用户和联邦用户都不能从机密管理器中看到某个机密。对于iam用户,我创建了这个策略:
policy={
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"NotPrincipal": {
"AWS": [
f"arn:aws:iam::123831926524:user/{username}",
"arn:aws:iam::123831926524:root"
]},
"Action": "secretsmanager:GetSecretValue",
"Resource": "*"
}]}
但是对于联邦用户,我不知道如何限制他们。
只需通过指定resource base policy
来指定谁能够(单独(使用机密。https://docs.aws.amazon.com/secretsmanager/latest/userguide/auth-and-access_resource-policies.html