问题
I have a Amazon dynamodb table with partition key composed of the user's id (from facebook or google) and other characters. I know wildcard can be used to specify the properties of a fine-grained access policy, but I couldn't get the wildcard in the dynamodb:LeadingKeys working.
Here is the working policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"g_${accounts.google.com:sub}"
]
}
}
}
]
}
However, this doesn't work:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"*_${accounts.google.com:sub}"
]
}
}
}
]
}
回答1:
I found the solution to this. So instead of using ForAllValues:StringEquals, use ForAllValues:StringLike.
The working policy is such:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"dynamodb:BatchGetItem",
"dynamodb:BatchWriteItem",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:Query",
"dynamodb:UpdateItem"
],
"Resource": [
"arn:aws:dynamodb:<region>:<...>:table/<table-name>"
],
"Condition": {
"ForAllValues:StringLike": {
"dynamodb:LeadingKeys": [
"*_${accounts.google.com:sub}"
]
}
}
}
]
}
Took me a while to find this reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#AccessPolicyLanguage_ConditionType
来源:https://stackoverflow.com/questions/46605010/can-wildcard-character-be-used-in-the-fine-grained-access-policy-for-dynamod