我需要允许开发人员使用所有权限访问AWS放大服务,除了创建,删除和更新域关联。我创建了以下策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"amplify:ListDomainAssociations",
"amplify:CreateBranch",
"amplify:ListBranches",
"amplify:GetApp",
"amplify:UpdateApp"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"amplify:GetBranch",
"amplify:ListJobs",
"amplify:DeleteBranch",
"amplify:UpdateBranch"
],
"Resource": "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"amplify:GetJob",
"amplify:GetDomainAssociation",
"amplify:DeleteJob",
"amplify:StartJob",
"amplify:StopJob"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*/jobs/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/domains/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"amplify:CreateApp",
"amplify:ListApps"
],
"Resource": "*"
}
]
}
使用视觉编辑器生成了此策略。如您所见,我在arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*上允许amplify:ListDomainAssociations
我将策略附加到用户,但是当他通过浏览器登录AWS控制台时,他得到了此错误
User: arn:aws:iam::26XXXXXXXXXX:user/tp_amplifyPermissionTest is not authorized to perform: amplify:ListDomainAssociations on resource: arn:aws:amplify:us-east-1:26XXXXXXXXXX:user:/apps/d1xxxxxxxxxxxx/domains
我看到错误消息中存在的资源名称中的:之后有一个/,并且我的策略ARN资源名称中不存在/。因此,我尝试添加它,允许amplify:ListDomainAssociations用于以下资源arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*,但说/是出乎意料的,我无法保存。
我还试图将资源编辑为以下
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:*"
]
,但仍然没有成功。有任何想法在哪里可以问题?
AWS似乎有些混乱。某些Resources应该与:app一起添加,另一些则使用:/app。在这里我如何编辑该政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"amplify:ListDomainAssociations",
"amplify:CreateBranch",
"amplify:ListBranches",
"amplify:GetApp",
"amplify:UpdateApp"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"amplify:GetBranch",
"amplify:ListJobs",
"amplify:DeleteBranch",
"amplify:UpdateBranch"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*/branches/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"amplify:GetJob",
"amplify:GetDomainAssociation",
"amplify:DeleteJob",
"amplify:StartJob",
"amplify:StopJob"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*/jobs/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/domains/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*/branches/*/jobs/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*/domains/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"amplify:CreateApp",
"amplify:ListApps"
],
"Resource": "*"
}
]
}
这对我有用