我只是尝试将标签添加到某些存储桶中,然后创建了一个内联IAM角色策略,该策略可以使该角色访问S3存储桶,但无法正常工作。我同时尝试了iam:ResourceTag/tagName
和s3:ResourceTag/tagName
作为条件,但是都没有用。
看起来一切都很好,我开始认为AWS可能尚未针对S3实施此功能。是这样吗我尝试查看文档,但实际上我没有发现与使用S3的标签有关的任何信息。
例如,角色HumanResources
应该对所有标记有HR
,Recruitment
等的存储桶都具有,但是没有其他存储桶。
在查看Actions, Resources, and Condition Keys for Amazon S3 - AWS Identity and Access Management时,似乎无法在IAM策略中指定存储桶标签。
一种选择是在存储桶名称中使用通配符。例如,您可以授予访问权限:
acme-hr-1
您可以基于存储区名称acme-hr-*
授予权限。
是,可以,但是您需要在每个S3资源策略上进行操作。
这里是一个S3策略,仅将IAM用户和角色的Tag部门设置为“ hr”,才授予对存储桶的访问权限。
为了确保HR员工只能访问这些存储桶,您需要从其IAM用户/角色访问策略中删除所有S3访问。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DenyObjectOthers",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:GetObject*",
"s3:RestoreObject*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalTag/department": [
"hr"
]
}
}
},
{
"Sid": "DenyListOthers",
"Effect": "Deny",
"Principal": "*",
"Action": [
"s3:ListBucket*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
],
"Condition": {
"StringNotLike": {
"aws:PrincipalTag/department": [
"hr"
]
}
}
},
{
"Sid": "AllowObject",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_NUMBER:root"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts",
"s3:DeleteObject*",
"s3:PutObject*",
"s3:GetObject*",
"s3:RestoreObject*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*"
],
"Condition": {
"StringLike": {
"aws:PrincipalTag/department": [
"hr"
]
}
}
},
{
"Sid": "AllowList",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AWS_ACCOUNT_NUMBER:root"
},
"Action": [
"s3:ListBucket*"
],
"Resource": [
"arn:aws:s3:::BUCKET_NAME"
],
"Condition": {
"StringLike": {
"aws:PrincipalTag/department": [
"hr"
]
}
}
}
]
}
先前的错误答案发件人:IAM Policy Elements: Variables and Tags - AWS Identity and Access Management
"Resource": ["arn:aws:s3:::bucket/${aws:PrincipalTag/department}"]
还请确保在2012-10-17
处包含版本。