问题
I am new to IAM in AWS. And, i desire to restrict the Query for various users to only table entries where primary key matches the cognito id. To achieve this, I created the policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToOnlyItemsMatchingUserID",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
"arn:aws:dynamodb:us-east-1:XXXXXXXXXXX:table/User"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${cognito-identity.amazonaws.com:sub}"
]
}
}
}
]
}
But, when i am querying the table using Postman as shown below:
I am getting the following error:
"__type": "com.amazon.coral.service#AccessDeniedException",
"Message": "User: arn:aws:sts::XXXXXXXXXXXXX:assumed-role/Achintest/BackplaneAssumeRoleSession is not authorized to perform: dynamodb:Query on resource: arn:aws:dynamodb:us-east-1:XXXXXXXXXXXXX:table/User"
Can someone please let me know what mistake i am doing?
======== UPDATE ========
I tried using policy sim, and i am unable to understand why the Query without LeadingKey as shown in pic below is allowed.
and when i provide the leading key, it says denied. See below pic:
回答1:
It might depend on the request that you're issuing. Your IAM policy is using ForAllValues which takes every key of the request into consideration. Your policy may return false if some key in your request does not match some condition value in the result.
Try using ForAnyValue and that might do the trick.
See here for more info.
来源:https://stackoverflow.com/questions/40446680/aws-iam-using-conditionals