I am trying to write an IAM policy which will control access to EC2 instances. All EC2 instances will have a custom tag called username and only if the tag value matches the logged in user's user name, will that user have access to that EC2 instance. This is what I came up with:
{
"Version": "2012-10-12",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:*",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/username": "arn:aws:iam::account-number-without-hyphens:user/username1"
}
}
}
]
}
I am sure you see the problem here. I don't want to hard code the username value on the right hand side. I want to be able to get that information at runtime or policy evaluation time.
Is it possible to do so?
The IAM user can be referred to in policy documents by ${aws:username}.
There is a list of other IAM policy variables and their uses here:
http://docs.aws.amazon.com/IAM/latest/UserGuide/PolicyVariables.html
来源:https://stackoverflow.com/questions/23120204/can-an-aws-iam-policy-dynamically-refer-to-the-logged-in-username