以條件金鑰為基礎政策範例AWS Proton - AWS Proton

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

以條件金鑰為基礎政策範例AWS Proton

下列 IAM 政策範例拒絕存取AWS Proton與中指定的範本相符的動作Condition區塊。請注意,只有下列動作才支援這些條件索引鍵適用於 的動作、資源及條件金鑰AWS Proton。管理其他動作的許可,例如DeleteEnvironmentTemplate,您必須使用資源層級的存取控制。

拒絕的範例政策AWS Proton特定範本上的範本動作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": ["proton:*"], "Resource": "*", "Condition": { "StringEqualsIfExists": { "proton:EnvironmentTemplate": ["arn:aws:proton:region_id:123456789012:environment-template/my-environment-template"] } } }, { "Effect": "Deny", "Action": ["proton:*"], "Resource": "*", "Condition": { "StringEqualsIfExists": { "proton:ServiceTemplate": ["arn:aws:proton:region_id:123456789012:service-template/my-service-template"] } } } ] }

在下一個範例政策中,第一個資源層級陳述式會拒絕存取AWS Proton範本動作,但ListServiceTemplates,符合中列出的服務範本Resource區塊。第二個陳述式會拒絕對AWS Proton與中列出的範本相符的動作Condition區塊。

拒絕的範例政策AWS Proton符合特定範本的動作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "proton:*" ], "Resource": "arn:aws:region_id:123456789012:service-template/my-service-template" }, { "Effect": "Deny", "Action": [ "proton:*" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "proton:ServiceTemplate": [ "arn:aws:proton:region_id:123456789012:service-template/my-service-template" ] } } } ] }

最終的策略示例允許開發人員AWS Proton與列出的特定服務範本相符的動作Condition區塊。

允許的範例政策AWS Proton匹配特定模板的開發人員操作:

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "proton:ListServiceTemplates", "proton:ListServiceTemplateVersions", "proton:ListServices", "proton:ListServiceInstances", "proton:ListEnvironments", "proton:GetServiceTemplate", "proton:GetServiceTemplateVersion", "proton:GetService", "proton:GetServiceInstance", "proton:GetEnvironment", "proton:CreateService", "proton:UpdateService", "proton:UpdateServiceInstance", "proton:UpdateServicePipeline", "proton:DeleteService", "codestar-connections:ListConnections" ], "Resource": "*", "Condition": { "StringEqualsIfExists": { "proton:ServiceTemplate": "arn:aws:proton:region_id:123456789012:service-template/my-service-template" } } }, { "Effect": "Allow", "Action": [ "codestar-connections:PassConnection" ], "Resource": "arn:aws:codestar-connections:*:*:connection/*", "Condition": { "StringEquals": { "codestar-connections:PassedToService": "proton.amazonaws.com" } } } ] }