我想使用只讀策略 (arn:aws:iam::aws:policy/ReadOnlyAccess) 創建一個 IAM 角色。
為了防止訪問所有存盤桶上的所有物件,我在 Cloudformation 模板中添加了拒絕部分:
ReadOnlyAccessRole:
Type: AWS::IAM::Role
Properties:
Path: /
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
- Effect: Deny
Sid: DenyS3GetObject
Action: s3:GetObject
Resource: "arn:aws:s3:::/*"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/ReadOnlyAccess"
我在拒絕部分(資源)中收到“MalformedPolicyDocument”錯誤。
我已經測驗了這些選項:
資源:“*”
資源:“arn:aws:s3:::/*”
資源:“arn:aws:s3:::prefix-bucket*”
您對此語法錯誤有任何想法嗎?
編輯 :
來自 Cloudformation 的錯誤:
Blockquote 已禁止欄位資源(服務:AmazonIdentityManagement;狀態代碼:400;錯誤代碼:MalformedPolicyDocument;請求 ID:......;代理:null)在此處輸入代碼
uj5u.com熱心網友回復:
您似乎錯過了該Policies部分。
嘗試這樣的事情:
AWSTemplateFormatVersion: "2010-09-09"
Resources:
MyTestRole:
Type: AWS::IAM::Role
Properties:
RoleName: read-only-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
- Effect: Allow
Principal:
AWS: !Ref AwsAccount
Action: sts:AssumeRole
Policies:
- PolicyName: EmbeddedInlinePolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Deny
Action: s3:GetObject
Resource: '*'
ManagedPolicyArns:
- arn:aws:iam::aws:policy/ReadOnlyAccess
轉載請註明出處,本文鏈接:https://www.uj5u.com/qianduan/456605.html
下一篇:s3檔案夾權限獲取http請求
