AWS Secrets Manager用户的资源策略访问

huangapple go评论73阅读模式
英文:

AWS Secrets manager resource policy access for user

问题

我正在尝试创建一个AWS Secrets Manager资源,只允许特定用户访问,通过编写一个用于Secrets Manager的资源策略,但我无法使其工作。我已经尝试了一个带有AllowDeny以及PrincipalNotPrincipal的策略,还尝试了一个带有NotPrincipalCondition以及NotArnLikeaws:SourceArnDeny策略,所有这些配置都是针对用户的arn arn:aws:iam::123456789012:user/fbuccioni

我的情况有点像根帐户,有两个具有用户/策略特权的DevOps,只需要根帐户访问secretsmanager:GetValue操作。这就是为什么我试图保护资源而不是分开的IAM身份策略。

如何使它工作?

是否有默认的Deny策略,我必须Allow?在AWS示例中只有一个允许条件。

英文:

I'm trying to make an AWS Secrets Manager resource to be accesed only by certain user by writing a resource policy for the Secrets Manager but I can't make it work, I have tried a policy with Allow and Deny with Principal and NotPrincipal, a Deny policy with NotPrincipal and Condition, NotArnLike with aws:SourceArn. All this configs with the arn of the user arn:aws:iam::123456789012:user/fbuccioni.

My scenario is kinda root account, 2 devops with user/policy privileges to 3rd parties and need only the root account access to the secretsmanager:GetValue action. That's why I'm trying to securize the resource instead doing separate IAM identity based policies.

How can I make it work?

Is there a default Deny policy and I have to Allow? in the aws examples have an allow condition only.

答案1

得分: 0

你是否还为 IAM 身份添加了基于身份的策略,以允许访问该秘密?

https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html

> 默认情况下,IAM 身份没有权限访问秘密。在授权访问秘密时,Secrets Manager 会评估附加到秘密的基于资源的策略以及发送请求的 IAM 用户或角色附加的所有基于身份的策略。

经过澄清,您的目标是将对秘密管理器实例的访问限制为仅限根帐户。您可以尝试使用以下语句:

statement {
    principals {
      type = "AWS"
      identifiers = [
        "arn:aws:iam::<acount-number>:root"
      ]
    }
    actions = [
        在此处放置您的权限
    ]
    resources = ["*"]
    condition {
      test     = "StringLike"
      variable = "aws:PrincipalType"
      values = [
        "Account"
      ]
    }
  }

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

英文:

Did you also added an identity-based policy to the IAM identity to allow the access to such secret?

https://docs.aws.amazon.com/secretsmanager/latest/userguide/determine-acccess_examine-iam-policies.html

> By default, IAM identities don't have permission to access secrets. When authorizing access to a secret, Secrets Manager evaluates the resource-based policy attached to the secret and all identity-based policies attached to the IAM user or role sending the request.

After clarification, your goal is to restric the access to the secret manager instance to only the root account. Can you give a try to this statement?

statement {
    principals {
      type = &quot;AWS&quot;
      identifiers = [
        &quot;arn:aws:iam::&lt;acount-number&gt;:root&quot;
      ]
    }
    actions = [
Your permissions here
    ]
    resources = [&quot;*&quot;]
    condition {
      test     = &quot;StringLike&quot;
      variable = &quot;aws:PrincipalType&quot;
      values = [
        &quot;Account&quot;
      ]
    }
  }

https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html

答案2

得分: 0

以下是您要翻译的内容:

"要使其工作,我必须进行多次测试和研究,但最终我找到了答案。"

"对于IAM用户"

"我开始尝试不使用根用户,而是尝试使用IAM用户,策略在任何可能的值中都不适用于Principal语句,我必须使用Condition来使其工作:"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:DeleteResourcePolicy"
      ],
      "Resource": "*",
      "Condition": {
        "StringNotLike": {
          "aws:userId": [
            "AIDA1EXAMPLE2USER3ID4",
            "012345678987"
          ]
        }
      }
    }
  ]
}

其中AIDA1EXAMPLE2USER3ID4是用户ID,012345678987是帐号号码ID,您可以使用以下命令检索UserID:

aws sts get-caller-identity

"对于根帐号"

"根帐号具有超越任何策略或权限的超级权限,您只需锁定一切即可。"

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Deny",
      "Principal": "*",
      "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:PutResourcePolicy",
        "secretsmanager:DeleteResourcePolicy"
      ],
      "Resource": "*"
    }
  ]
}
英文:

To make it work I have to do several tests and research but finally I got the answer.

For IAM users

I start doing the tests without the root user, so I try with an IAM user, the policy doesn't work with Principal statement in any possibly value, I have to do a Condition to make it work:

{
  &quot;Version&quot;: &quot;2012-10-17&quot;,
  &quot;Statement&quot;: [
    {
      &quot;Effect&quot;: &quot;Deny&quot;,
      &quot;Principal&quot;: &quot;*&quot;,
      &quot;Action&quot;: [
        &quot;secretsmanager:GetSecretValue&quot;,
        &quot;secretsmanager:PutResourcePolicy&quot;,
        &quot;secretsmanager:DeleteResourcePolicy&quot;
      ],
      &quot;Resource&quot;: &quot;*&quot;,
      &quot;Condition&quot;: {
        &quot;StringNotLike&quot;: {
          &quot;aws:userId&quot;: [
            &quot;AIDA1EXAMPLE2USER3ID4&quot;,
            &quot;012345678987&quot;
          ]
        }
      }
    }
  ]
}

being AIDA1EXAMPLE2USER3ID4 the User ID and 012345678987 the account number ID, you can retrieve the UserID with the command:

aws sts get-caller-identity

For Root account

The root account have the superpower to overpass any policy or permission, you just have to lock for everything and voila.

{
  &quot;Version&quot;: &quot;2012-10-17&quot;,
  &quot;Statement&quot;: [
    {
      &quot;Effect&quot;: &quot;Deny&quot;,
      &quot;Principal&quot;: &quot;*&quot;,
      &quot;Action&quot;: [
        &quot;secretsmanager:GetSecretValue&quot;,
        &quot;secretsmanager:PutResourcePolicy&quot;,
        &quot;secretsmanager:DeleteResourcePolicy&quot;
      ],
      &quot;Resource&quot;: &quot;*&quot;
    }
  ]
}

huangapple
  • 本文由 发表于 2023年5月18日 09:52:19
  • 转载请务必保留本文链接:https://go.coder-hub.com/76277235.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定