只允许一个SSO用户访问资源的策略

【以下的回答经过翻译处理】 我了解到您目前正在尝试使用SSO身份的UserID限制对Sagemaker笔记本的访问。

目前，我利用您提供的SSO权限集并进行了微调，如下所示，并最终通过以AWS SSO用户身份登录的方式，在AWS SageMaker控制台上进行了测试，成功查看/停止/描述了与SSO UserID对应的SageMaker笔记本（带有标签-Owner：UserId）。

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"glue:CreateScript",
				"secretsmanager:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"sagemaker:ListTags",
				"sagemaker:DeleteNotebookInstance",
				"sagemaker:StopNotebookInstance",
				"sagemaker:CreatePresignedNotebookInstanceUrl",
				"sagemaker:Describe*",
				"sagemaker:StartNotebookInstance",
				"sagemaker:UpdateNotebookInstance",
				"sagemaker:CreatePresignedDomainUrl"
			],
			"Resource": "arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/*",
			"Condition": {
				"StringEquals": {
					"sagemaker:ResourceTag/Owner": "${identitystore:UserId}"
				}
			}
		},
		{
			"Sid": "VisualEditor1",
			"Effect": "Allow",
			"Action": [
				"sagemaker:ListNotebookInstanceLifecycleConfigs",
				"sagemaker:ListNotebookInstances",
				"sagemaker:ListCodeRepositories"
			],
			"Resource": "*"
		}
	]
}

然而，如果此SSO用户尝试停止任何其他没有与其UserId对应的标签的Sagemaker笔记本，则预期行为会出现以下错误：

User: arn:aws:sts::7XXXXXXXXX:assumed-role/AWSReservedSSO_SageMXXXXXXXXXbe/test1 is not authorized to perform: sagemaker:StopNotebookInstance on resource: arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/userachecking because no identity-based policy allows the sagemaker:StopNotebookInstance action

或

User: arn:aws:sts::7XXXXXXXXX:assumed-role/AWSReservedSSO_SageMXXXXXXXXXbe/test1 is not authorized to perform: sagemaker:DescribeNotebookInstance on resource: arn:aws:sagemaker:us-east-1:7XXXXXXXXX:notebook-instance/Test1Check because no identity-based policy allows the sagemaker:DescribeNotebookInstance action

此外，请注意，与您提供的IAM策略不同，您的SSO权限集策略缺少操作-“sagemaker：ListNotebookInstances”，这也会在我的测试中因无法列出AWS SageMaker控制台上的笔记本实例而引发错误。因此，我也在您的权限集中添加了适当的Sagemaker列表操作。

附加信息 -

a. $ {identitystore：UserId} - AWS SSO身份存储中的每个用户都分配了唯一的UserID。您可以使用AWS SSO控制台并导航到每个用户或使用DescribeUser API操作来查看您的用户的UserId。[1]

b. ListNotebookInstances - 返回AWS区域中请求者帐户中的SageMaker笔记本实例列表。[2]

c. ResourceTag - 您可以使用ResourceTag / key-name条件键来确定是否基于标记允许对资源的访问。[3] [4]

d. sagemaker：ResourceTag / - 按附加到资源的标签键和值对的前缀字符串过滤访问[5]

e. sagemaker：ResourceTag / $ {TagKey} - 根据标记键值对过滤访问[5]

参考:

[1] https://docs.aws.amazon.com/singlesignon/latest/userguide/using-predefined-attributes.html

[2] https://docs.aws.amazon.com/sagemaker/latest/APIReference/API_ListNotebookInstances.html

[3] https://docs.aws.amazon.com/IAM/latest/UserGuide/access_tags.html

[4] https://aws.amazon.com/blogs/security/simplify-granting-access-to-your-aws-resources-by-using-tags-on-aws-iam-users-and-roles/

[5] https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonsagemaker.html#amazonsagemaker-policy-keys