我创建了如下策略。我只想允许使用雪花访问策略创建角色。每次执行lambda代码时,我还可以将其他策略附加到该角色。我不知道为什么,因为很明显,我否认了其他政策,只允许一项。有人能帮我吗?
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "iam:CreateRole",
"Resource": "arn:aws:iam::*:role/snowflake-role*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:AttachRolePolicy",
"Resource": [
"arn:aws:iam::7882...:policy/snowflake_access",
"arn:aws:iam::*:role/snowflake-role*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Deny",
"Action": "iam:*",
"Resource": [
"arn:aws:iam::*:role/snowflake-role*"
]
}
]
}
如果查看IAM定义的操作,您将看到一个表,该表将操作映射到资源类型和条件键等。例如:
| 操作 | CreateRole |
|---|