如何拆分用户名,拆分时取第3个元素用'-'分隔符,并将该元素与bucket内的文件夹名进行匹配?
aws:username只是在写到一个特定的bucket时的一个定位符。这意味着它在创建策略时并不存在。这就导致拆分失败。
我试着把逻辑移到条件字段,但还没有结果。
Resources:
testTagGroupPolicy:
Type: AWS::IAM::Group
Properties:
GroupName: !Sub "test-tag-group-${Environment}"
Policies:
- PolicyName: !Sub "test-tag1-group-policy-${Environment}"
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowAllActionsInUserFolder
Effect: Allow
Action:
- s3:*
Resource: !Sub "arn:aws:s3:::test-tag1-bucket-${Environment}"
Condition:
StringLikeIfExists:
"s3:prefix": !Sub
- ${Application}/*"
- Application: !Select
- 2
- !Split ["-", !Sub "${aws:username}"]
比方说,我们有一个名为 "Bucket "的桶。test1
我们有一个用户,名字叫... test-tag1-team1-dev
那么该用户应该只能在 test1/team1 文件夹.所以不使用完整的用户名,只使用第三个元素。
我遇到了同样的问题,并按照Vikyol的建议标记IAM principals。我的例子只是允许在一个特定的文件夹名上进行PutObject请求。请注意,我们是如何分配标签,而创建一个用户。我们在策略中使用被标记的文件夹名称。
Resources:
testTagGroupPolicy:
Type: AWS::IAM::Group
Properties:
GroupName: !Sub "test-tag-group-${Environment}"
Policies:
- PolicyName: !Sub "test-tag1-group-policy-${Environment}"
PolicyDocument:
Version: 2012-10-17
Statement:
- Sid: AllowUploadInUserFolder
Effect: Allow
Action:
- s3:PutObject
Resource:
- Fn::Join:
- ""
-
- "arn:aws:s3:::test-tag1-bucket-${Environment}"
- "/test1/${aws:PrincipalTag/FolderName}/*" # This will resolve to /test1/team1 for TestTeam1User
# For list object the following worked for me
- Sid: AllowListObjectInUserFolder
Effect: Allow
Action:
- s3:ListBucket
Resource: "arn:aws:s3:::test-tag1-bucket-${Environment}"
Condition:
StringLike:
s3:prefix:
- "/test1/${aws:PrincipalTag/FolderName}/*"
TestTeam1User:
Type: "AWS::IAM::User"
Properties:
UserName: { "Fn::Join" : ["", ["test-tag1-team1-", { "Ref" : "Environment" } ] ] } # Resolves to test-tag1-team1-dev
Tags:
- Key: "FolderName" # Specify the folder name this user will have access to
Value: "team1"