我有一个简单的 IAM 政策,有两个条件:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPush",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": [
"ecr:*"
],
"Condition": {
"StringEquals": {
"aws:username": [
"user01",
"marketing"
]
},
"StringLike": {
"aws:sourceArn": [
"arn:aws:lambda:eu-west-1:987654321:function:*",
"arn:aws:lambda:eu-west-1:481275139:function:*",
"arn:aws:lambda:eu-west-1:428385139:function:*"
]
}
}
}
]
}
我想授予实体权限
ecr:*
如果满足两个条件之一,它们是 user01
/ marketing
或来自另一个帐户的 lambda 函数正在请求授予。
我之前尝试过该政策,但似乎必须同时满足两个条件才能工作。
注意:此策略附加到 ECR 存储库。
您的策略语句有多个条件运算符,因此条件运算符使用逻辑 AND 进行计算。
您的
aws:username
上下文键有多个值,因此这些值使用逻辑 OR 进行评估。 aws:sourceArn
上下文键也是如此。
这是评估的可视化。
如果您想要“非此即彼”而不是使用两个语句,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowPushUser",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": [
"ecr:*"
],
"Condition": {
"StringEquals": {
"aws:username": [
"user01",
"marketing"
]
}
}
},
{
"Sid": "AllowPushLambda",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": [
"ecr:*"
],
"Condition": {
"StringLike": {
"aws:sourceArn": [
"arn:aws:lambda:eu-west-1:987654321:function:*",
"arn:aws:lambda:eu-west-1:481275139:function:*",
"arn:aws:lambda:eu-west-1:428385139:function:*"
]
}
}
}
]
}