允许访问特定表的

允许访问特定表的

本文介绍了允许访问特定表的 DynamoDB 控制台的 IAM 策略的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

是否可以创建一个 AWS IAM 策略,只为特定表提供对 DynamoDB 控制台的访问权限?我试过了:

Is it possible to create an AWS IAM policy that provides access to the DynamoDB console only for specific tables? I have tried:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt0000000001",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:ListTables",
                <other actions>
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:<region>:<account>:table/FooTable",
                "arn:aws:dynamodb:<region>:<account>:table/BarTable"
            ]
        }
    ]
}

但对于附加此策略的用户,DynamoDB 表列表显示 Not Authorized(就像未附加策略时一样).

but for a user with this policy attached, the DynamoDB tables list says Not Authorized (as it does when no policy is attached).

Resource" 设置为 *" 并添加如下所示的新语句,让用户执行 <other actions>FooTableBarTable 上,但他们也可以在表格列表中看到所有其他表格.

Setting "Resource" to "*" and adding a new statement like below lets the user perform <other actions> on FooTable and BarTable, but they can also see all other tables in the tables list.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt0000000001",
            "Action": [
                <other actions>
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:dynamodb:<region>:<account>:table/FooTable",
                "arn:aws:dynamodb:<region>:<account>:table/BarTable"
            ]
        },
        {
            "Sid": "Stmt0000000002",
            "Action": [
                "dynamodb:DescribeTable",
                "dynamodb:ListTables"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}

推荐答案

很抱歉这个坏消息,但是 AWS 管理控制台需要 DescribeTableListTables 权限整个 DynamoDB 才能正常运行.

Sorry for the bad news, but the AWS Management Console requires both DescribeTable and ListTables permissions against the whole of DynamoDB in order to operate correctly.

但是,有一个小解决方法...您可以为控制台用户提供一个 URL,将他们直接带到表中,并且可以正常查看和添加项目等.

However, there is a small workaround... You can give Console users a URL that takes them directly to the table, and operates fine for viewing and adding items, etc.

只需从具有正确权限的用户那里复制 URL,例如:

Just copy the URL from a user that has correct permissions, eg:

https://REGION.console.aws.amazon.com/dynamodb/home?region=REGION#explore:name=TABLE-NAME

这篇关于允许访问特定表的 DynamoDB 控制台的 IAM 策略的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-24 04:49