问题描述
我在Secrets Manager中有一个秘密,并且系统中有多个IAM角色。我只希望只有一个角色可以访问该秘密信息。不幸的是,还有其他一些具有完全Secrets Manager特权的IAM角色。因此,我想将对秘密的访问权限限制为除我所希望的其他角色以外的所有其他角色。
角色
- IAM_role_that_need_to_access_the_secret。
- IAM_role_1_that_should_not_access_the_secret。
- IAM_role_2_that_should_not_access_the_secret。
以下内容有效。
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Deny","Action": "secretsmanager:GetSecretValue","Principal": {
"AWS": "arn:aws:iam::IAM_role_1_that_should_not_access_the_secret","AWS": "arn:aws:iam::IAM_role_2_that_should_not_access_the_secret"
},"Resource": "*"
},{
"Effect": "Allow","Principal": {
"AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
},"Resource": "*","Condition": {
"ForAnyValue:StringEquals": {
"secretsmanager:VersionStage": "AWSCURRENT"
}
}
}
]
}
但是我想拒绝访问所有角色,而不必在“拒绝权限”部分中明确提及每个角色。像下面这样。但是它将限于所有角色,包括所需的角色。
{
"Version": "2012-10-17","Principal": {"AWS": "*"},"Condition": {
"ForAnyValue:StringEquals": {
"secretsmanager:VersionStage": "AWSCURRENT"
}
}
}
]
}
解决方法
更新:
我问过AWS支持,他们说:
这是一个已知问题,其中
NotPrinicipal
明确拒绝资源策略。解决方法是使用
"StringNotEquals":"aws:PrincipalArn"
条件键。
上一个答案:
您可以使用:NotPrincipal
{
"Effect": "Deny","NotPrincipal": {
"AWS": "arn:aws:iam::IAM_role_that_need_to_access_the_secret"
},"Action": "secretsmanager:GetSecretValue","Resource": "*",...
,
您可以创建一个 KMS key,然后为 KMS 密钥创建一个策略,该策略仅授予您需要的角色访问权限。类似于以下内容:
{
"Version": "2012-10-17","Id": "key-default-admin","Statement": [
{
"Sid": "Enable IAM User Permissions","Effect": "Allow","Principal": {
"AWS": "arn:aws:iam::<AWS_ACCOUNT_ID>:root"
},"Action": "kms:*","Resource": "*"
},{
"Sid": "Allow administration of the key","Principal": {
"AWS": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>","arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
]
},"Action": [
"kms:Create*","kms:Describe*","kms:Enable*","kms:List*","kms:Put*","kms:Update*","kms:Revoke*","kms:Disable*","kms:Get*","kms:Delete*","kms:ScheduleKeyDeletion","kms:CancelKeyDeletion"
],{
"Sid": "Allow use of the key","Principal": {
"AWS": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/AdminRole","Action": [
"kms:DescribeKey","kms:Encrypt","kms:Decrypt","kms:ReEncrypt*","kms:GenerateDataKey","kms:GenerateDataKeyWithoutPlaintext"
],{
"Sid": "Deny use of the key","Effect": "Deny","Condition": {
"StringNotLike": {
"aws:PrincipalArn": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>","arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
]
}
}
}
]
}