1 回答
- 最新
- 投票最多
- 评论最多
0
I would use tags on the principals instead of group membership with a bucket policy like this:
{
"Id": "Policy1670278952233",
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1670278950745",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::bucket-name",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/role": "admin"
}
},
"Principal": "*"
}
]
}
Thank you for the response. This was helpful. This didn't work exactly as is, but a few small changes got it working.
Changes:
Resulting policy:
One question about this approach I have. Since the principle is set to
"*"
will users in other accounts who have the correct tag be allowed to access the bucket?That's a good point. Add the ARN to the Principal to limit to users with your account.