我正在尝试在 S3 存储桶策略中使用 IAM 全局条件密钥aws:PrincipalOrgPaths,但不断收到"访问被拒绝"错误。我能够很好地使用Keyaws:PrincipalOrgID。下面的清理存储桶策略是我尝试使用的。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MyOrgOnly",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::thebucketofmydreams",
"arn:aws:s3:::thebucketofmydreams/*"
],
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": "o-funny/r-stuff/ou-path"
}
}
}
]
}
所以,最终的答案是这是一个语法错误。PrincipalOrgPath 需要方括号,即使它是单个实体。如果您尝试此操作,您会注意到,一旦接受,方括号将从最终策略中删除。谢谢,AWS!
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "MyOrgOnly",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::thebucketofmydreams",
"arn:aws:s3:::thebucketofmydreams/*"
],
"Condition": {
"ForAnyValue:StringLike": {
"aws:PrincipalOrgPaths": ["o-funny/r-stuff/ou-path"]
}
}
}
]
}
请将 PrincipleOrgPath 条件从 "aws:PrincipalOrgPaths": "o-funny/r-stuff/ou-path/"更改为 "aws:PrincipalOrgPaths": "o-funny/r-stuff/ou-path/*",以便所有人都可以在组织路径下访问。你在这里失踪了 *