我需要允许开发人员使用除创建,删除和更新域关联之外的所有权限来访问AWS Amplify服务。我创建了以下政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"amplify:ListDomainAssociations",
"amplify:CreateBranch",
"amplify:ListBranches",
"amplify:GetApp",
"amplify:UpdateApp"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"amplify:GetBranch",
"amplify:ListJobs",
"amplify:DeleteBranch",
"amplify:UpdateBranch"
],
"Resource": "arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"amplify:GetJob",
"amplify:GetDomainAssociation",
"amplify:DeleteJob",
"amplify:StartJob",
"amplify:StopJob"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*/jobs/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/domains/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"amplify:CreateApp",
"amplify:ListApps"
],
"Resource": "*"
}
]
}
已使用可视化编辑器生成此策略。如你所见,我在amplify:ListDomainAssociations上允许使用arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*
我将策略附加到用户,但是当他通过浏览器登录AWS控制台时出现此错误
User: arn:aws:iam::26XXXXXXXXXX:user/tp_amplifyPermissionTest is not authorized to perform: amplify:ListDomainAssociations on resource: arn:aws:amplify:us-east-1:26XXXXXXXXXX:user:/apps/d1xxxxxxxxxxxx/domains
我看到在错误消息中出现的资源名称中的/之后有一个:,并且我的策略arn资源名称中不存在/。所以我试图补充一点,允许amplify:ListDomainAssociations为以下资源arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*,但说/是意外的,我无法保存它。
我还尝试编辑以下资源
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:*"
]
但仍然没有成功。知道问题出在哪里?
似乎AWS上存在一些混淆。一些Resources应该添加:app,其他:/app。这是我编辑政策的方式
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"amplify:ListDomainAssociations",
"amplify:CreateBranch",
"amplify:ListBranches",
"amplify:GetApp",
"amplify:UpdateApp"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"amplify:GetBranch",
"amplify:ListJobs",
"amplify:DeleteBranch",
"amplify:UpdateBranch"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*/branches/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"amplify:GetJob",
"amplify:GetDomainAssociation",
"amplify:DeleteJob",
"amplify:StartJob",
"amplify:StopJob"
],
"Resource": [
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/branches/*/jobs/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:apps/*/domains/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*/branches/*/jobs/*",
"arn:aws:amplify:us-east-1:26XXXXXXXXXX:/apps/*/domains/*"
]
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"amplify:CreateApp",
"amplify:ListApps"
],
"Resource": "*"
}
]
}
这对我有用