我试图限制一个进程只能列出某些 FSx 系统。我的 EC2 实例附加了一个角色,其中包含如下声明。
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"fsx:Describe*",
"fsx:List*",
"fsx:UpdateFileSystem"
],
"Resource": [
"arn:aws:fsx:us-west-2:75xxxxxxx648:file-system/fs-0e8d9xxxxxxxef3b",
"arn:aws:fsx:us-west-2:75xxxxxxx648:file-system/fs-07bcxxxxxxxx5e43"
]
}
但是当我尝试列出文件系统时,在使用描述操作时出现错误。
ubuntu@ip-10-129-10-194:~$ aws fsx describe-file-systems --region=us-west-2
An error occurred (AccessDeniedException) when calling the DescribeFileSystems operation: User: arn:aws:sts::75xxxxxxx648:assumed-role/Cloud-Manager-Operator-399y9hM/i-00d9xxxxxxf16 is not authorized to perform: fsx:DescribeFileSystems on resource: arn:aws:fsx:us-west-2:75xxxxxxx648:file-system/* because no identity-based policy allows the fsx:DescribeFileSystems action
即使指定我在角色中列出的 FSxN 文件系统之一,我也会收到错误:
ubuntu@ip-10-129-10-194:~$ aws fsx describe-file-systems --region=us-west-2 --file-system-ids fs-07bxxxxxx5e43
An error occurred (AccessDeniedException) when calling the DescribeFileSystems operation: User: arn:aws:sts::75xxxxxxx648:assumed-role/Cloud-Manager-Operator-399y9hM/i-00d9bxxxxxff16 is not authorized to perform: fsx:DescribeFileSystems on resource: arn:aws:fsx:us-west-2:75xxxxxxx648:file-system/* because no identity-based policy allows the fsx:DescribeFileSystems action
有谁知道如何让 AWS 默默地忽略我无权访问的文件系统?
不支持将描述功能限制为特定 FSx 系统。请注意以下页面: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonfsx.html
如果您查看“DescribeFileSystems”列,则“资源类型”列中没有任何值。
请注意,支持限制特定 FSx 系统的更新/删除。