2014-03-24 217 views
8

我想一個策略添加到已經可以在兩個S3桶執行CRUD這裏現有IAM用戶當前工作的政策AWS IAM策略SQS

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "devcontrol", 
     "Effect": "Allow", 
     "Action": [ 
     "s3:Get*", 
     "s3:Put*", 
     "s3:DeleteObject", 
     "s3:DeleteObjectVersion" 
     ], 
     "Resource": [ 
     "arn:aws:s3:::blahimages/*", 
     "arn:aws:s3:::blahvideos/*" 
     ] 
    } 
    ] 
} 

一個例子政策從SQS文件這篇

{ 
    "Version": "2012-10-17", 
    "Statement":[{ 
     "Effect":"Allow", 
     "Action":"sqs:*", 
     "Resource":"arn:aws:sqs:*:123456789012:bob_queue*" 
     } 
    ] 
} 

所以,我想這個

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
    { 
     "Sid": "devcontrol", 
     "Effect": "Allow", 
     "Action": [ 
     "s3:Get*", 
     "s3:Put*", 
     "s3:DeleteObject", 
     "s3:DeleteObjectVersion" 
     ], 
     "Resource": [ 
     "arn:aws:s3:::blahimages/*", 
     "arn:aws:s3:::blahvideos/*" 
     ] 
    }, 
    { 
     "Effect":"Allow", 
     "Action":"sqs:*", 
     "Resource":"arn:aws:sqs:*:myarn" 
     } 
    ] 
    } 

我沒有得到任何解析錯誤,但模擬器WA還在歸國否認對SQS隊列

也真的我只是希望此用戶能夠將消息添加到隊列,接受他們,並刪除它們,而上述政策會增加,我相信所有的動作

回答

5

您的SQS ARN無效:"arn:aws:sqs:*:myarn"

您應該改用arn:aws:sqs:<region name>:<account id>:<queue name>。 (你錯過了<account id>)。

如果您希望您的策略在多個區域中有效,則區域名稱可能會被替換爲*。但是賬戶ID是強制性的,因爲隊列名稱在AWS主賬戶和區域內是唯一的。

有關有效SQS策略的示例,請參閱http://docs.aws.amazon.com/AWSSimpleQueueService/latest/SQSDeveloperGuide/SQSExamples.html