我有一个API密钥,我只想允许如果API key有任何一个,开发人员可以查看API key值。以下标签(键值对)
# allow access if API key has any one of Tag with corresponding values
app: demo
OR
default:true
这是当前的IAM政策声明。
- Effect: Allow
Action: apigateway:GET
Resource: arn:aws:apigateway:us-east-1::/apikeys/*
Condition:
StringEquals:
aws:ResourceTag/app:
- "${aws:PrincipalTag/app}"
aws:ResourceTag/default:
- "true"
但是根据AWS文档,评估逻辑是key1:value1 AND key2:value2,这意味着只有当API密钥具有具有相应值的两个标签时才能访问allow,但我需要key1:value1 OR key2:value2。你能请你如何写条件操作符为这使用单个语句?
您可以使用ForAnyValue:StringEquals:条件键:
- Effect: Allow
Action: apigateway:GET
Resource: arn:aws:apigateway:us-east-1::/apikeys/*
Condition:
ForAnyValue:StringEquals:
aws:ResourceTag/app:
- "${aws:PrincipalTag/app}"
aws:ResourceTag/default:
- "true"