admin管理员组文章数量:1122846
I have just stumbled upon an s3 bucket policy within my organisation containing multiple statements, two of which are:
{
"Sid": "ReadFromEKS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/redacted"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:GetObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
{
"Sid": "ReadFromEKS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::210987654321:role/redacted"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:GetObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
(These were copy/pasted from the AWS console, then I changed the bucket and role ARNs)
I am confused because my understanding was that Statement ID (Sids) had to be unique within a policy. Clearly here they are not.
Am I incorrect in my belief that Sids are unique within a policy? If that belief is not incorrect, how could this policy possibly exist?
I have just stumbled upon an s3 bucket policy within my organisation containing multiple statements, two of which are:
{
"Sid": "ReadFromEKS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/redacted"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:GetObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
{
"Sid": "ReadFromEKS",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::210987654321:role/redacted"
},
"Action": [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteObject",
"s3:GetObjectAcl"
],
"Resource": [
"arn:aws:s3:::bucket-name",
"arn:aws:s3:::bucket-name/*"
]
}
(These were copy/pasted from the AWS console, then I changed the bucket and role ARNs)
I am confused because my understanding was that Statement ID (Sids) had to be unique within a policy. Clearly here they are not.
Am I incorrect in my belief that Sids are unique within a policy? If that belief is not incorrect, how could this policy possibly exist?
Share Improve this question edited yesterday luk2302 57.1k24 gold badges103 silver badges146 bronze badges asked yesterday jamietjamiet 12.1k20 gold badges105 silver badges188 bronze badges1 Answer
Reset to default 1The Sid is not required to be unique everywhere, see the docs
In IAM, the Sid value must be unique within a JSON policy.
and
Some AWS services (for example, Amazon SQS or Amazon SNS) might require this element and have uniqueness requirements for it. For service-specific information about writing policies, refer to the documentation for the service you work with.
S3 only recommends the uniqueness while IAM requires it, you can verify it by writing the policies in JSON in the AWS console and inspect the resulting warning / error.
Unfortunately I have not been able to find a documentation for S3 explicitly only recommending it, that may be because the default simply is non-unique and IAM enforces uniqueness and therefore only that is explicitly mentioned in the docs.
The example bucket policies already include a few policies with non-unique Sids.
本文标签: amazon web servicesHow can two IAM statements have the same SidStack Overflow
版权声明:本文标题:amazon web services - How can two IAM statements have the same Sid? - Stack Overflow 内容由网友自发贡献,该文观点仅代表作者本人, 转载请联系作者并注明出处:http://www.betaflare.com/web/1736282329a1926608.html, 本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌抄袭侵权/违法违规的内容,一经查实,本站将立刻删除。
发表评论