Amazon web services DynamoDb中的细粒度访问
我的用户注册了facebook,表中有基本的用户信息。我希望用户只更新、删除自己的记录,而且能够读取所有其他用户的属性。例如,看看他们的名字。如何创建允许此操作的策略?这适用于场景1:Amazon web services DynamoDb中的细粒度访问,amazon-web-services,amazon-dynamodb,amazon-iam,Amazon Web Services,Amazon Dynamodb,Amazon Iam,我的用户注册了facebook,表中有基本的用户信息。我希望用户只更新、删除自己的记录,而且能够读取所有其他用户的属性。例如,看看他们的名字。如何创建允许此操作的策略?这适用于场景1: { "Version": "2012-10-17", "Statement": [ { "Sid": "FullAccessToUserItems", "Effect": "Allow", "Action": [ "dynamodb:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccessToUserItems",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/Users"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${graph.facebook.com:id}"
]
}
}
}
]
}只需将另一条具有读取权限的语句添加到整个表中即可 像这样的方法应该会奏效:
{
"Sid": "ReadAccess",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/Users"
]
}
整个政策是这样的。请注意底部的第二句话:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "FullAccessToUserItems",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DeleteItem",
"dynamodb:BatchWriteItem"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/Users"
],
"Condition": {
"ForAllValues:StringEquals": {
"dynamodb:LeadingKeys": [
"${graph.facebook.com:id}"
]
}
}
},
{
"Sid": "ReadAccess",
"Effect": "Allow",
"Action": [
"dynamodb:GetItem",
"dynamodb:BatchGetItem",
"dynamodb:Query"
],
"Resource": [
"arn:aws:dynamodb:us-west-2:123456789012:table/Users"
]
}
]
}