IAM策略用于使用参数标签的参数存储

huangapple
go评论94阅读模式
英文:

IAM Policy for Parameter Store using Parameter tag

问题

我对整个AWS生态系统都很陌生,所以请谅解。我试图创建一个IAM策略,允许特定的组管理AWS Systems Manager参数存储中的参数。

我将为每个“供应商”创建一个组,他们将有机会管理(获取、更新、删除)只有对应标签的参数。

供应商1 -> 具有标签Supplier:Supplier1的参数1 // 带有标签名称Supplier和标签值Supplier1
供应商1 -> 具有标签Supplier:Supplier1的参数2
供应商2 -> 具有标签Supplier:Supplier2的参数3
供应商2 -> 具有标签Supplier:Supplier2的参数4
供应商3 -> 具有标签Supplier:Supplier3的参数5

因此,供应商1将能够获取参数1和参数2,并且还可以选择编辑或删除此参数,其他供应商也是如此,具有对应的参数。

我想出了这种策略定义。我将其分配给了用户Supplier1,然后我使用我的根帐户在参数存储中创建了带有标签名称Supplier和值Supplier1的参数。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:DeleteParameter",
                "ssm:PutParameter"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ssm:ResourceTag/Supplier": "Supplier1"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "ssm:GetParameter",
                "ssm:DeleteParameter",
                "ssm:PutParameter"
            ],
            "Resource": "*"
        }
    ]
}

但是,当我以Supplier1身份登录时,我可以看到所有已创建的标签(由于DescribeParameters,因为我无法弄清楚是否可以按标签过滤),但在单击所需参数后,我收到了以下错误:User: arn:aws:iam::XXXXXXXXXXXX:user/Supplier1 is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-north-1:XXXXXXXXXXXX:parameter/dev/ai/parameter1 with an explicit deny in an identity-based policy

请帮助我解决这个问题,谢谢!

英文:

I am quite new to whole AWS ecosystem so please bear with me. I am trying to come up with IAM policy by which I will allow certain groups to manage parameters in AWS Systems Manager Parameter Store.

I will have group for each "supplier" and they will have the opportunity to manage (get, update, remove) only parameters with corresponding tag.

Supplier1 -> parameter1 with tag Supplier:Supplier1 // with tag name Supplier and tag value Supplier1
Supplier1 -> parameter2 with tag Supplier:Supplier1
Supplier2 -> parameter3 with tag Supplier:Supplier2
Supplier2 -> parameter4 with tag Supplier:Supplier2
Supplier3 -> parameter5 with tag Supplier:Supplier3

So supplier1 would be able to get parameter1 & parameter2 and also would have the option to edit or even delete this parameter, same goes to other suppliers and their corresponding parameters.

I came up with this kind of policy definition. I assigned it to user Supplier1 and than I created parameter in Parameter Store (using my root account) that i tagged with tag name Supplier and value Supplier1.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "ssm:GetParameter",
                "ssm:DeleteParameter",
                "ssm:PutParameter"
            ],
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "ssm:ResourceTag/Supplier": "Supplier1"
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "ssm:GetParameter",
                "ssm:DeleteParameter",
                "ssm:PutParameter"
            ],
            "Resource": "*"
        }
    ]
}

But when I log as Supplier1 I can see all tags that are created (due to DescribeParameters because I could not figure out if it is possible to filter by tags) but after clicking on required parameter I get: User: arn:aws:iam::XXXXXXXXXXXX:user/Supplier1 is not authorized to perform: ssm:GetParameter on resource: arn:aws:ssm:eu-north-1:XXXXXXXXXXXX:parameter/dev/ai/parameter1 with an explicit deny in an identity-based policy error.

Could you please help me out?

Thanks in advance IAM策略用于使用参数标签的参数存储

答案1

得分: 2

问题在于您的 Deny 策略会覆盖所有 Allow 策略,因为在 AWS IAM 中,显式的拒绝策略始终优先于允许策略。请查看文档以了解更多关于 AWS IAM 策略评估逻辑的信息。

尝试使用以下策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ssm:GetParameter",
                "ssm:DeleteParameter",
                "ssm:PutParameter"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "ssm:ResourceTag/Supplier": "Supplier1"
                }
            }
        }
    ]
}
英文:

The issue here is that your Deny policy overrides all Allow policies because in AWS IAM, an explicit deny always has precedence over an allow. Check the documentation to learn more about the AWS IAM policy evaluation logic.

Try the following policy instead:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "ssm:DescribeParameters",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ssm:GetParameter",
                "ssm:DeleteParameter",
                "ssm:PutParameter"
            ],
            "Resource": "*",
            "Condition": {
                "StringNotEquals": {
                    "ssm:ResourceTag/Supplier": "Supplier1"
                }
            }
        }
    ]
}

huangapple
  • 本文由 发表于 2023年8月11日 04:06:26
  • 转载请务必保留本文链接:https://go.coder-hub.com/76879000.html
  • amazon-iam
  • amazon-web-services
  • aws-iam-policy
  • aws-parameter-store
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定