是否可以为 AWS 角色信任关系指定模式
Is it possible to specify a pattern for an AWS role Trust Relationship
我想允许来自不同帐户的某些角色代入我的帐户中的角色。我不想一一指定角色,因为它们很容易经常变化。
我为信任关系提出了这个策略,它应该允许名称以 _my_suffix 结尾的任何角色,但它不起作用(访问被拒绝):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
另一方面,此策略有效但过于开放,因为它允许帐户 A 中的任何 user/role 担任我的角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
那么,有什么方法可以只允许一组角色而不被明确指定吗?
这似乎是委托访问信任帐户(您的帐户)而不是受信任帐户(_my_suffix - AWS 帐户)的问题。这些是您可以在下面检查的几件事 URL。
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
谢谢
除 "Principal" : { "AWS" : "*" } 外,不能在信任策略中使用通配符。原因是当您将身份指定为委托人时,您必须使用完整的 ARN,因为 IAM 会转换为唯一 ID,例如AIDAxxx(对于 IAM 用户)或 AROAxxx(对于 IAM 角色)。以下是来自 document:
If your Principal element in a role trust policy contains an ARN that
points to a specific IAM user, then that ARN is transformed to the
user's unique principal ID when the policy is saved. This helps
mitigate the risk of someone escalating their privileges by removing
and recreating the user. You don't normally see this ID in the
console, because there is also a reverse transformation back to the
user's ARN when the trust policy is displayed.
我最近遇到了同样的问题use-case。 None 的回复为我解决了这个问题。
Charli,你原来的解决方案是有效的,但我需要一些调整才能让它工作,也就是说,我需要用 'stringLike' 替换 'ArnLike' 并切换 'aws:SourceArn' 以使用 'aws:PrincipalArn':
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/test-role-name-*"
}
}
}
我想允许来自不同帐户的某些角色代入我的帐户中的角色。我不想一一指定角色,因为它们很容易经常变化。
我为信任关系提出了这个策略,它应该允许名称以 _my_suffix 结尾的任何角色,但它不起作用(访问被拒绝):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Condition": {
"ArnLike": {
"aws:SourceArn": "arn:aws:iam::ACCOUNT_NR_A:role/*_my_suffix"
}
},
"Action": "sts:AssumeRole"
}
]
}
另一方面,此策略有效但过于开放,因为它允许帐户 A 中的任何 user/role 担任我的角色:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_NR_A:root"
},
"Action": "sts:AssumeRole"
}
]
}
那么,有什么方法可以只允许一组角色而不被明确指定吗?
这似乎是委托访问信任帐户(您的帐户)而不是受信任帐户(_my_suffix - AWS 帐户)的问题。这些是您可以在下面检查的几件事 URL。
Link: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
谢谢
除 "Principal" : { "AWS" : "*" } 外,不能在信任策略中使用通配符。原因是当您将身份指定为委托人时,您必须使用完整的 ARN,因为 IAM 会转换为唯一 ID,例如AIDAxxx(对于 IAM 用户)或 AROAxxx(对于 IAM 角色)。以下是来自 document:
If your Principal element in a role trust policy contains an ARN that points to a specific IAM user, then that ARN is transformed to the user's unique principal ID when the policy is saved. This helps mitigate the risk of someone escalating their privileges by removing and recreating the user. You don't normally see this ID in the console, because there is also a reverse transformation back to the user's ARN when the trust policy is displayed.
我最近遇到了同样的问题use-case。 None 的回复为我解决了这个问题。
Charli,你原来的解决方案是有效的,但我需要一些调整才能让它工作,也就是说,我需要用 'stringLike' 替换 'ArnLike' 并切换 'aws:SourceArn' 以使用 'aws:PrincipalArn':
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<ACCOUNT_ID>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringLike": {
"aws:PrincipalArn": "arn:aws:iam::<ACCOUNT_ID>:role/test-role-name-*"
}
}
}