如何拆分用户名,在"-"分隔符上拆分时采用第三个元素并将该元素与存储桶中的文件夹名称匹配/?
AWS:用户名只是写入特定存储桶时的放置器。这意味着在创建策略时它不存在。这会导致拆分失败。
我尝试将逻辑移动到条件字段,但还没有结果。
Resources:
testTagGroupPolicy:
Type: AWS::IAM::Group
Properties:
GroupName: !Sub "test-tag-group-${Environment}"
Policies:
- PolicyName: !Sub "test-tag1-group-policy-${Environment}"
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowAllActionsInUserFolder
Effect: Allow
Action:
- s3:*
Resource: !Sub "arn:aws:s3:::test-tag1-bucket-${Environment}"
Condition:
StringLikeIfExists:
"s3:prefix": !Sub
- ${Application}/*"
- Application: !Select
- 2
- !Split ["-", !Sub "${aws:username}"]
假设我们有一个名为:test1
我们有一个名为test-tag1-team1-dev的用户
然后,该用户应该只能在test1/team1文件夹中写入。 因此,不要使用完整的用户名,而只使用第三个元素。
我遇到了同样的问题,并遵循了 Vikyol 标记 IAM 委托人的建议。 我的示例只是允许对特定文件夹名称的 PutObject 请求。请注意我们如何在创建用户时分配 Tag。我们在策略中使用标记的文件夹名称。
Resources:
testTagGroupPolicy:
Type: AWS::IAM::Group
Properties:
GroupName: !Sub "test-tag-group-${Environment}"
Policies:
- PolicyName: !Sub "test-tag1-group-policy-${Environment}"
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowUploadInUserFolder
Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Join:
- ""
-
- "arn:aws:s3:::test-tag1-bucket-${Environment}"
- "/test1/${aws:PrincipalTag/FolderName}/*" # This will resolve to /test1/team1 for TestTeam1User
# For list object the following worked for me
- Sid: AllowListObjectInUserFolder
Effect: Allow
Action:
- s3:ListBucket
Resource: "arn:aws:s3:::test-tag1-bucket-${Environment}"
Condition:
StringLike:
s3:prefix:
- "/test1/${aws:PrincipalTag/FolderName}/*"
TestTeam1User:
Type: "AWS::IAM::User"
Properties:
UserName: { "Fn::Join" : ["", ["test-tag1-team1-", { "Ref" : "Environment" } ] ] } # Resolves to test-tag1-team1-dev
Tags:
- Key: "FolderName" # Specify the folder name this user will have access to
Value: "team1"