【发布时间】:2019-03-21 08:45:02
【问题描述】:
我需要允许开发人员使用除创建、删除和更新域关联之外的所有权限访问 AWS Amplify 服务。我创建了以下策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"amplify:ListDomainAssociations",
"amplify:CreateBranch",
"amplify:ListBranches",
"amplify:GetApp",
"amplify:UpdateApp"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"amplify:GetBranch",
"amplify:ListJobs",
"amplify:DeleteBranch",
"amplify:UpdateBranch"
],
"Resource": "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"amplify:GetJob",
"amplify:GetDomainAssociation",
"amplify:DeleteJob",
"amplify:StartJob",
"amplify:StopJob"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*/jobs/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/domains/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"amplify:CreateApp",
"amplify:ListApps"
],
"Resource": "*"
}
]
}
此政策是使用可视化编辑器生成的。
如您所见,我在arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/* 上允许amplify:ListDomainAssociations
我将策略附加给用户,但当他通过浏览器登录 AWS 控制台时,出现此错误
User: arn:aws:iam::26XXXXXXXXXX:user/tp_amplifyPermissionTest is not authorized to perform: amplify:ListDomainAssociations on resource: arn:aws:amplify:us-east-1:26XXXXXXXXXX:user:/apps/d1xxxxxxxxxxxx/domains
我看到错误消息中的资源名称中的 : 之后有一个 /,并且我的策略 arn 资源名称中不存在 /。所以我尝试添加它,允许amplify:ListDomainAssociations 用于以下资源arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*,但说/ 是意外的,我无法保存它。
我也尝试过如下编辑资源
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:*"
]
但仍然没有成功。 知道问题出在哪里吗?
【问题讨论】:
标签: amazon-web-services amazon-iam aws-amplify