AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

IAM Docs Feedback: Wrong condition operator modifier?

0

I am trying to provide feedback on this IAM docs page. When I click the feedback link, it takes me to here which fails when I submit with this error:

HTTP Status 400 – Bad Request

Type Exception Report
Message Request header is too large
Description The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid request message framing, or deceptive request routing).
Exception
java.lang.IllegalArgumentException: Request header is too large
	org.apache.coyote.http11.Http11InputBuffer.parseHeaders(Http11InputBuffer.java:629)
	org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:535)
	org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:65)
	org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:847)
	org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1680)
	org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
	org.apache.tomcat.util.threads.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1191)
	org.apache.tomcat.util.threads.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:659)
	org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	java.lang.Thread.run(Thread.java:750)
Note The full stack trace of the root cause is available in the server logs.

Apache Tomcat/8.5.75

Consequently, I'll provide my feedback here. Reading over the docs here it would appear you are using the wrong condition operator modifier on this page

Wouldn't this require that SourceIdentity be set to both Saanvi and Diego, not either or:

"StringLike": {
          "sts:SourceIdentity": [
            "Saanvi",
            "Diego"
          ]
        }

Shouldn't it be?:

"ForAnyValue:StringEquals": {
          "sts:SourceIdentity": [
            "Saanvi",
            "Diego"
          ]
        }

Also you appear to arbitrarily be using StringLike instead of StringEquals throughout:

"Condition": {
        "StringLike": {
          "sts:SourceIdentity": "${aws:username}"
        }
      }

Although there are no wildcards in this if you want an exact match, wouldn't it be more clear to use StringEquals?

주제
보안, 신원 및 규정 준수
태그
AWS 자격 증명 및 액세스 관리
언어
English
perpil
질문됨 2년 전325회 조회
1개 답변
0

Ok, I think I understand now how the first part is working. It appears that the key sts:SourceIdentity has a single value. When you use StringLike/StringEquals on a single value key and provide an array of matches, it passes if any of those items in the array are true. That is shown in an example on this page. Is it possible to explicitly document the behavior here when you use an array vs a string as a key value or point me to where that behavior is defined?.

For example:

If the key value is a string and you use StringEquals, it passes only if it matches:

"Condition": {
        "StringEquals": {
          "sts:SourceIdentity": "Saanvi"
        }
      }

If the key value is an array of strings, any one of them matching makes it pass.

"Condition": {
        StringEquals": {
          "sts:SourceIdentity": [
            "Saanvi",
            "Diego"
          ]
        }
}
perpil
답변함 2년 전

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠