问题
I am trying to write an IAM policy which will control access to EC2 instances. All EC2 instances will have a custom tag called username and only if the tag value matches the logged in user's user name, will that user have access to that EC2 instance. This is what I came up with:
{
"Version": "2012-10-12",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/username": "arn:aws:iam::account-number-without-hyphens:user/username1"
}
}
}
]
}
I am sure you see the problem here. I don't want to hard code the username value on the right hand side. I want to be able to get that information at runtime or policy evaluation time.
Is it possible to do so?
回答1:
The IAM user can be referred to in policy documents by ${aws:username}.
There is a list of other IAM policy variables and their uses here:
http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html
来源:https://stackoverflow.com/questions/23120204/can-an-aws-iam-policy-dynamically-refer-to-the-logged-in-username