我试图限制一个进程只能列出某些 FSx 系统。我的 EC2 实例附加了一个角色,其中包含如下声明。
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"fsx:Describe*",
"fsx:List*",
"fsx:UpdateFileSystem"
],
"Resource": [
"arn:aws:fsx:us-west-2:75xxxxxxx648:file-system/fs-0e8d9xxxxxxxef3b",
"arn:aws:fsx:us-west-2:75xxxxxxx648:file-system/fs-07bcxxxxxxxx5e43"
]
}
但是当我尝试列出文件系统时,在使用描述操作时出现错误。
ubuntu@ip-10-129-10-194:~$ aws fsx describe-file-systems --region=us-west-2
An error occurred (AccessDeniedException) when calling the DescribeFileSystems operation: User: arn:aws:sts::75xxxxxxx648:assumed-role/Cloud-Manager-Operator-399y9hM/i-00d9xxxxxxf16 is not authorized to perform: fsx:DescribeFileSystems on resource: arn:aws:fsx:us-west-2:75xxxxxxx648:file-system/* because no identity-based policy allows the fsx:DescribeFileSystems action
即使指定我在角色中列出的 FSxN 文件系统之一,我也会收到错误:
ubuntu@ip-10-129-10-194:~$ aws fsx describe-file-systems --region=us-west-2 --file-system-ids fs-07bxxxxxx5e43
An error occurred (AccessDeniedException) when calling the DescribeFileSystems operation: User: arn:aws:sts::75xxxxxxx648:assumed-role/Cloud-Manager-Operator-399y9hM/i-00d9bxxxxxff16 is not authorized to perform: fsx:DescribeFileSystems on resource: arn:aws:fsx:us-west-2:75xxxxxxx648:file-system/* because no identity-based policy allows the fsx:DescribeFileSystems action
有谁知道如何让 AWS 默默地忽略我无权访问的文件系统?