# 单值上下文键策略示例
以下一组策略示例演示了如何使用单值上下文键创建策略条件。
## 示例:具有单值上下文键的多个条件块
条件块有多个条件时,每个条件都有一个上下文键,所有上下文键必须解析为 true 才能调用所需的 `Allow` 或 `Deny` 效果。使用否定匹配条件运算符时,条件值的评估逻辑是相反的。
以下示例允许用户创建 EC2 卷并在创建卷期间将标签应用到卷。请求上下文必须包含上下文键 `aws:RequestTag/project` 的值,以及上下文键 `aws:ResourceTag/environment` 的值可以是除生产之外的任何内容。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateVolume",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:us-east-1:123456789012:volume/*",
"Condition": {
"StringLike": {
"aws:RequestTag/project": "*"
}
}
},
{
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": "arn:aws:ec2:us-east-1:123456789012:*/*",
"Condition": {
"StringNotEquals": {
"aws:ResourceTag/environment": "production"
}
}
}
]
}
```
------
请求上下文必须包含项目标签值,并且不能为生产资源创建以调用 `Allow` 效果。以下 EC2 卷已成功创建,因为项目名称为 `Feature3`,资源标签为 `QA`。
```
aws ec2 create-volume \
--availability-zone us-east-1a \
--volume-type gp2 \
--size 80 \
--tag-specifications 'ResourceType=volume,Tags=[{Key=project,Value=Feature3},{Key=environment,Value=QA}]'
```
## 示例:具有多个单值上下文键和值的一个条件块
条件块包含多个上下文键并且每个上下文键具有多个值时,每个上下文键必须解析为 true,以便至少有一个键值能够调用所需的 `Allow` 或 `Deny` 效果。使用否定匹配条件运算符时,上下文键值的评估逻辑是相反的。
以下示例允许用户在 Amazon Elastic Container Service 集群上启动和运行任务。
+ 对于 `aws:RequestTag/environment` 上下文键 **AND**,请求上下文必须包含 `production` **或** `prod-backup`。
+ `ecs:cluster` 上下文键可确保在 `default1` **或** `default2` ARN ECS 集群上运行任务。
------
#### [ JSON ]
****
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:StartTask"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:{{111122223333}}:cluster/default1",
"arn:aws:ecs:us-east-1:{{111122223333}}:cluster/default2"
]
}
}
}
]
}
```
------
下表显示了 AWS 如何根据请求中的条件键值来评估此策略。
| 策略条件 | 请求上下文 | 结果 |
| --- | --- | --- |
| "StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:111122223333:cluster/default1",
"arn:aws:ecs:us-east-1:111122223333:cluster/default2"
]
} | aws:RequestTag: environment:production
ecs:cluster:
arn:aws:ecs:us-east-1:111122223333:cluster/default1
| 匹配 |
| "StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:111122223333:cluster/default1",
"arn:aws:ecs:us-east-1:111122223333:cluster/default2"
]
} | aws:RequestTag: environment:prod-backup
ecs:cluster:
arn:aws:ecs:us-east-1:111122223333:cluster/default2
| 匹配 |
| "StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:111122223333:cluster/default1",
"arn:aws:ecs:us-east-1:111122223333:cluster/default2"
]
} | aws:RequestTag: webserver:production
ecs:cluster:
arn:aws:ecs:us-east-1:111122223333:cluster/default2
| 不匹配 |
| "StringEquals": {
"aws:RequestTag/environment": [
"production",
"prod-backup"
]
},
"ArnEquals": {
"ecs:cluster": [
"arn:aws:ecs:us-east-1:111122223333:cluster/default1",
"arn:aws:ecs:us-east-1:111122223333:cluster/default2"
]
} | 请求上下文中没有 `aws:RequestTag`。ecs:cluster
arn:aws:ecs:us-east-1:111122223333:cluster/default2
| 不匹配 |