信任策略在扮演角色时

huangapple go评论62阅读模式
英文:

trust policy when assuming roles

问题

I have a set of roles in the format hi-role1- & hi-role2- that need to assume h1-role3. All these roles are deployed through terraform & spinnaker and random characters are assigned at the end for role1 & role2. I am not able to come up with a trust policy that narrows down the sts to just those roles as AWS expects the complete ARN and won't let me add a wildcard like hi-role1-*. Is there any way to make this work? This is what it looks like now

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "",
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"*"
				]
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEquals": {
					"aws:PrincipalAccount": "12345"
				}
			}
		}
	]
}

I want to narrow it down to

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "",
			"Effect": "Allow",
			"Principal": {
				"AWS": [
					"arn:aws:iam::12345:/role/hi-role1-*",
					"arn:aws:iam::12345:/role/hi-role2-*"
				]
			},
			"Action": "sts:AssumeRole",
			"Condition": {
				"StringEquals": {
					"aws:PrincipalAccount": "12345"
				}
			}
		}
	]
}

I am not so familiar with AWS, and everything I looked at says it is not supported. I don't want to leave my trust policy wide open. Thanks for any help/suggestions!

英文:

I have a set of roles in the format hi-role1-<random> & hi-role2-<random> that need to assume h1-role3. All these roles are deployed through terraform & spinnaker and random characters are assigned at the end for role1 & role2. I am not able to come up with a trust policy that narrows down the sts to just those roles as AWS expects the complete ARN and wont let me add a wildcard like hi-role1-*. Is there anyway to make this work? This is what it looks like now

{
	&quot;Version&quot;: &quot;2012-10-17&quot;,
	&quot;Statement&quot;: [
		{
			&quot;Sid&quot;: &quot;&quot;,
			&quot;Effect&quot;: &quot;Allow&quot;,
			&quot;Principal&quot;: {
				&quot;AWS&quot;: [
					&quot;*&quot;
				]
			},
			&quot;Action&quot;: &quot;sts:AssumeRole&quot;,
			&quot;Condition&quot;: {
				&quot;StringEquals&quot;: {
					&quot;aws:PrincipalAccount&quot;: &quot;12345&quot;
				}
			}
		}
	]
}

I want to narrow it down to

{
	&quot;Version&quot;: &quot;2012-10-17&quot;,
	&quot;Statement&quot;: [
		{
			&quot;Sid&quot;: &quot;&quot;,
			&quot;Effect&quot;: &quot;Allow&quot;,
			&quot;Principal&quot;: {
				&quot;AWS&quot;: [
					&quot;arn:aws:iam::12345:/role/hi-role1-*&quot;,
                                        &quot;arn:aws:iam::12345:/role/hi-role2-*&quot;
				]
			},
			&quot;Action&quot;: &quot;sts:AssumeRole&quot;,
			&quot;Condition&quot;: {
				&quot;StringEquals&quot;: {
					&quot;aws:PrincipalAccount&quot;: &quot;12345&quot;
				}
			}
		}
	]
}

I am not so familiar with AWS and everything I looked at says it is not supported. I dont want to leave my trust policy wide open. Thanks for any help/suggestions!

答案1

得分: 1

我已经包括了符合您要求的工作 IAM 策略示例,如下所示:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::12345:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::12345:/role/hi-role1-*",
                        "arn:aws:iam::12345:/role/hi-role2-*"
                    ]
                }
            }
        }
    ]
}

关键区别是使用了 StringLike 条件运算符,而在主体 ARN 中没有使用通配符。

解释

您可以使用 StringLike 条件运算符来与通配符 (*) 匹配多个字符。根据官方文档

区分大小写的匹配。值可以包括在字符串中的多字符匹配通配符 (*) 和单字符匹配通配符 (?)。要实现部分字符串匹配,必须指定通配符。

此外,根据官方文档,您不能在主体中使用通配符:

不能使用通配符来匹配主体名称或 ARN 的一部分。

英文:

I've included an example of a working IAM policy that meets your requirements below for you.

{
    &quot;Version&quot;: &quot;2012-10-17&quot;,
    &quot;Statement&quot;: [
        {
            &quot;Sid&quot;: &quot;&quot;,
            &quot;Effect&quot;: &quot;Allow&quot;,
            &quot;Principal&quot;: {
                &quot;AWS&quot;: &quot;arn:aws:iam::12345:root&quot;
            },
            &quot;Action&quot;: &quot;sts:AssumeRole&quot;,
            &quot;Condition&quot;: {
                &quot;StringLike&quot;: {
                    &quot;aws:PrincipalArn&quot;: [
                        &quot;arn:aws:iam::12345:/role/hi-role1-*&quot;,
                        &quot;arn:aws:iam::12345:/role/hi-role2-*&quot;
                    ]
                }
            }
        }
    ]
}

The key difference is using the StringLike condition operator and no wildcard in the principal ARN.

Explanation

You can use the StringLike condition operator to match multi-characters with a wildcard(*). From the official document

> Case-sensitive matching. The values can include multi-character match wildcards (*) and single-character match wildcards (?) anywhere in the string. You must specify wildcards to achieve partial string matches.

Also, you can't use a wildcard in principal from the official document

> You cannot use a wildcard to match part of a principal name or ARN.

huangapple
  • 本文由 发表于 2023年6月15日 05:14:01
  • 转载请务必保留本文链接:https://go.coder-hub.com/76477580.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定