本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。
AWS IAM Identity Center
評估原則時,如果您定義AWS IAM Identity Center為信任提供者,「AWS已驗證存取」會將信任資料納入 Cedar 內容中,您在信任提供者組態上指定為「原則參照名稱」的金鑰下。如果您選擇,您可以撰寫根據信任資料進行評估的原則。
注意
信任提供者的內容金鑰來自您在建立信任提供者時所設定的原則參照名稱。例如,如果您將原則參照名稱設定為「idp123」,則內容索引鍵會是「上下文 .idp123」。建立原則時,請檢查您使用的是正確的內容索引鍵。
下列 JSON 結構描述
{
"title": "AWS IAM Identity Center context specification",
"type": "object",
"properties": {
"user": {
"type": "object",
"properties": {
"user_id": {
"type": "string",
"description": "a unique user id generated by AWS IdC"
},
"user_name": {
"type": "string",
"description": "username provided in the directory"
},
"email": {
"type": "object",
"properties": {
"address": {
"type": "email",
"description": "email address associated with the user"
},
"verified": {
"type": "boolean",
"description": "whether the email address has been verified by AWS IdC"
}
}
}
}
},
"groups": {
"type": "object",
"description": "A list of groups the user is a member of",
"patternProperties": {
"^[a-fA-F0-9]{8}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{4}-[a-fA-F0-9]{12}$": {
"type": "object",
"description": "The Group ID of the group",
"properties": {
"group_name": {
"type": "string",
"description": "The customer-provided name of the group"
}
}
}
}
}
}
}
以下是根據 AWS IAM 身分中心提供的信任資料進行評估的政策範例。
permit(principal, action, resource) when {
context.idc.user.email.verified == true
// User is in the "sales" group with specific ID
&& context.idc.groups has "c242c5b0-6081-1845-6fa8-6e0d9513c107"
};
注意
由於群組名稱可以變更,IAM 身分中心指的是使用其群組 ID 的群組。這有助於避免在變更群組名稱時中斷原則陳述式。