的细粒度访问策略中使用通配符

的细粒度访问策略中使用通配符

关注
发信
关注(28)粉丝(399)

可以在 dynamodb 的细粒度访问策略中使用通配符 (*) 吗?

本文介绍了可以在 dynamodb 的细粒度访问策略中使用通配符 (*) 吗?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

我有一个 Amazon dynamodb 表,其分区键由用户 id(来自 facebook 或 google)和其他字符组成.我知道通配符可用于指定细粒度访问策略的属性,但我无法在 dynamodb:LeadingKeys 中使用通配符.

I have a Amazon dynamodb table with partition key composed of the user's id (from facebook or google) and other characters. I know wildcard can be used to specify the properties of a fine-grained access policy, but I couldn't get the wildcard in the dynamodb:LeadingKeys working.

这是工作政策:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "dynamodb:BatchGetItem",
              "dynamodb:BatchWriteItem",
              "dynamodb:DeleteItem",
              "dynamodb:GetItem",
              "dynamodb:PutItem",
              "dynamodb:Query",
              "dynamodb:UpdateItem"
          ],
          "Resource": [
              "arn:aws:dynamodb:<region>:<...>:table/<table-name>"
          ],
          "Condition": {
              "ForAllValues:StringEquals": {
                  "dynamodb:LeadingKeys": [
                      "g_${accounts.google.com:sub}"
                  ]
              }
          }
      }
  ]
}

但是,这不起作用:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "dynamodb:BatchGetItem",
              "dynamodb:BatchWriteItem",
              "dynamodb:DeleteItem",
              "dynamodb:GetItem",
              "dynamodb:PutItem",
              "dynamodb:Query",
              "dynamodb:UpdateItem"
          ],
          "Resource": [
              "arn:aws:dynamodb:<region>:<...>:table/<table-name>"
          ],
          "Condition": {
              "ForAllValues:StringEquals": {
                  "dynamodb:LeadingKeys": [
                      "*_${accounts.google.com:sub}"
                  ]
              }
          }
      }
  ]
}

推荐答案

我找到了解决方案.因此,不要使用 ForAllValues:StringEquals,而是使用 ForAllValues:StringLike.

I found the solution to this. So instead of using ForAllValues:StringEquals, use ForAllValues:StringLike.

工作方针是这样的:

{
  "Version": "2012-10-17",
  "Statement": [
      {
          "Effect": "Allow",
          "Action": [
              "dynamodb:BatchGetItem",
              "dynamodb:BatchWriteItem",
              "dynamodb:DeleteItem",
              "dynamodb:GetItem",
              "dynamodb:PutItem",
              "dynamodb:Query",
              "dynamodb:UpdateItem"
          ],
          "Resource": [
              "arn:aws:dynamodb:<region>:<...>:table/<table-name>"
          ],
          "Condition": {
              "ForAllValues:StringLike": {
                  "dynamodb:LeadingKeys": [
                      "*_${accounts.google.com:sub}"
                  ]
              }
          }
      }
  ]
}

我花了一段时间才找到这个参考:http:///docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolicyLanguage_ConditionType

Took me a while to find this reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolicyLanguage_ConditionType

这篇关于可以在 dynamodb 的细粒度访问策略中使用通配符 (*) 吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-24 04:48
Powered by LMLPHP ©2024 的细粒度访问策略中使用通配符 0.053284