- 最新
- 投票最多
- 评论最多
Hi,
I don't think that blocking access via agent name is a safe practice: remember that AWS SDKs like boto3 are open source. So, anybody can modify the agent name by changing the source code correspondingly.
The only valid way is via regular IAM credentials: the boto3 client and Parquet must have different credentials so that they are distinctly authenticated. Then, you can safely authorize Parquet while forbidding boto3.
Best,
Didier
Hello.
When you make a request with boto3, the boto3 user agent will be recorded as shown below.
"userAgent": "Boto3/1.34.105 md/Botocore#1.34.105 ua/2.0 os/linux#6.1.96-102.177.amzn2023.x86_64 md/arch#x86_64 lang/python#3.9.16 md/pyimpl#CPython exec-env/CloudShell cfg/retry-mode#legacy Botocore/1.34.105",
So, if you use "aws:UserAgent" in the IAM condition key, you may be able to deny access from boto3.
https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-useragent
I created and tested the following IAM policy.
The IAM policy below allows all operations on Athena, but only "GetWorkGroup" is denied when the user agent is boto3.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": "athena:GetWorkGroup",
"Resource": "*",
"Condition": {
"StringLike": {
"aws:UserAgent": "Boto3*"
}
}
},
{
"Effect": "Allow",
"Action": "athena:*",
"Resource": "*"
}
]
}
I was able to access the workgroup without any problems when accessing from the management console as shown below.
It was confirmed that when executing "get_work_group(WorkGroup='primary')" with boto3, the following error occurs.
Traceback (most recent call last):
File "/home/cloudshell-user/test.py", line 5, in <module>
response = client.get_work_group(WorkGroup='primary')
File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 565, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/usr/local/lib/python3.9/site-packages/botocore/client.py", line 1021, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetWorkGroup operation: You are not authorized to perform: athena:GetWorkGroup on the resource. After your AWS administrator or you have updated your permissions, please try again.
