本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
创建 IAM 用户和 Amazon SQS 队列
以下示例说明了如何使用 Amazon Web Services Management Console 和 Amazon CloudFormation 创建 ABAC 策略来控制对 Amazon SQS 的访问。
使用 Amazon Web Services Management Console
创建 IAM 用户
登录 Amazon Web Services Management Console,然后通过以下网址打开 IAM 控制台:https://console.aws.amazon.com/iam/
。 -
从左侧导航窗格中选择用户。
-
选择添加用户,然后在用户名文本框中输入名称。
-
选择访问密钥 - 编程访问框,然后选择下一步: 权限。
-
选择下一步: 标签。
-
将标签键添加为
environment
,将标签值添加为beta
。 -
选择下一步: 审核,然后选择创建用户。
-
复制访问密钥 ID 和秘密访问密钥并将其存储在安全位置。
添加 IAM 用户权限
-
选择您创建的 IAM 用户。
-
选择添加内联策略。
-
在 JSON 选项卡上,粘贴以下策略。
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessForSameResTag", "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "AllowAccessForSameReqTag", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:DeleteQueue", "sqs:SetQueueAttributes", "sqs:tagqueue" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "DenyAccessForProd", "Effect": "Deny", "Action": "sqs:*", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/stage": "prod" } } } ] }
-
选择查看策略。
-
选择创建策略。
使用 Amazon CloudFormation
使用以下示例 Amazon CloudFormation 模板创建附有内联策略和 Amazon SQS 队列的 IAM 用户:
AWSTemplateFormatVersion: "2010-09-09" Description: "CloudFormation template to create IAM user with custom inline policy" Resources: IAMPolicy: Type: "Amazon::IAM::Policy" Properties: PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Sid": "AllowAccessForSameResTag", "Effect": "Allow", "Action": [ "sqs:SendMessage", "sqs:ReceiveMessage", "sqs:DeleteMessage" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "AllowAccessForSameReqTag", "Effect": "Allow", "Action": [ "sqs:CreateQueue", "sqs:DeleteQueue", "sqs:SetQueueAttributes", "sqs:tagqueue" ], "Resource": "*", "Condition": { "StringEquals": { "aws:RequestTag/environment": "${aws:PrincipalTag/environment}" } } }, { "Sid": "DenyAccessForProd", "Effect": "Deny", "Action": "sqs:*", "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/stage": "prod" } } } ] } Users: - "testUser" PolicyName: tagQueuePolicy IAMUser: Type: "AWS::IAM::User" Properties: Path: "/" UserName: "testUser" Tags: - Key: "environment" Value: "beta"