- 最新
- 投票最多
- 评论最多
Hi,
Thank you for contacting us! I understand that you would like to simulate a custom policy to determine the policy's effective permissions evaluated against multiple actions and resources.
I confirm that you are able to use the 'simulate-custom-policy' CLI command on multiple actions and resources. The following sample command worked for me:
aws iam simulate-custom-policy --policy-input-list '{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"kms:*","Resource":"arn:aws:kms:us-east-1:<account-ID>:key/12345-6789-12345asdf-fghj-123455yz"}]}' --action-names "kms:Decrypt" "kms:ListGrants" --resource-arns "arn:aws:kms:us-east-1:<account-ID>:key/12345-6789-12345asdf-fghj-123455yz" "arn:aws:kms:us-east-1:<account-ID>:key/abcdef-6789-12345asdf-fghj-123455abcd"
Note the format I have used to include multiple action names and resources within double quotes.
This syntax for passing multiple action names and resources is also outlined in the following document under the --action-names and --resource-arns CLI options:
Please let us know if you need any further assistance. We'll be glad to assist!
I think I found the issue, the policy has actions names with STAR. Like kms:List* to include all the actions starts with List.
I have tried few other combinations with other AWS services actions (i.e. S3, CloudWatch, CloudFormation) and it seems the same issue. It only works when Resource is provided with *. If Resource has ARN and Action name has STAR it will fail.
