IAM policies: allow s3 accesspoint arns (#6743)
This commit is contained in:
Thomas Schaaf
GitHub
parent
de44a85ed2
commit
7098388ee4
@ -56,11 +56,17 @@ VALID_CONDITION_PREFIXES = ["ForAnyValue:", "ForAllValues:"]
|
|||||||
|
|
||||||
VALID_CONDITION_POSTFIXES = ["IfExists"]
|
VALID_CONDITION_POSTFIXES = ["IfExists"]
|
||||||
|
|
||||||
SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS = {
|
SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS: Dict[str, Any] = {
|
||||||
"iam": "IAM resource {resource} cannot contain region information.",
|
"iam": {
|
||||||
"s3": "Resource {resource} can not contain region information.",
|
"error_message": "IAM resource {resource} cannot contain region information."
|
||||||
|
},
|
||||||
|
"s3": {
|
||||||
|
"error_message": "Resource {resource} can not contain region information.",
|
||||||
|
"valid_starting_values": ["accesspoint/"],
|
||||||
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
VALID_RESOURCE_PATH_STARTING_VALUES: Dict[str, Any] = {
|
VALID_RESOURCE_PATH_STARTING_VALUES: Dict[str, Any] = {
|
||||||
"iam": {
|
"iam": {
|
||||||
"values": [
|
"values": [
|
||||||
@ -375,20 +381,34 @@ class BaseIAMPolicyValidator:
|
|||||||
resource_partitions = resource_partitions[2].partition(":")
|
resource_partitions = resource_partitions[2].partition(":")
|
||||||
|
|
||||||
service = resource_partitions[0]
|
service = resource_partitions[0]
|
||||||
|
region = resource_partitions[2]
|
||||||
|
resource_partitions = resource_partitions[2].partition(":")
|
||||||
|
|
||||||
|
resource_partitions = resource_partitions[2].partition(":")
|
||||||
|
resource_id = resource_partitions[2]
|
||||||
|
|
||||||
if (
|
if (
|
||||||
service in SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS.keys()
|
service in SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS.keys()
|
||||||
and not resource_partitions[2].startswith(":")
|
and not region.startswith(":")
|
||||||
):
|
):
|
||||||
self._resource_error = (
|
valid_start = False
|
||||||
SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS[service].format(
|
|
||||||
resource=resource
|
|
||||||
)
|
|
||||||
)
|
|
||||||
return
|
|
||||||
|
|
||||||
resource_partitions = resource_partitions[2].partition(":")
|
for (
|
||||||
resource_partitions = resource_partitions[2].partition(":")
|
valid_starting_value
|
||||||
|
) in SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS[service].get(
|
||||||
|
"valid_starting_values", []
|
||||||
|
):
|
||||||
|
if resource_id.startswith(valid_starting_value):
|
||||||
|
valid_start = True
|
||||||
|
break
|
||||||
|
|
||||||
|
if not valid_start:
|
||||||
|
self._resource_error = (
|
||||||
|
SERVICE_TYPE_REGION_INFORMATION_ERROR_ASSOCIATIONS[service][
|
||||||
|
"error_message"
|
||||||
|
].format(resource=resource)
|
||||||
|
)
|
||||||
|
return
|
||||||
|
|
||||||
if service in VALID_RESOURCE_PATH_STARTING_VALUES.keys():
|
if service in VALID_RESOURCE_PATH_STARTING_VALUES.keys():
|
||||||
valid_start = False
|
valid_start = False
|
||||||
|
|||||||
@ -1607,6 +1607,20 @@ valid_policy_documents = [
|
|||||||
},
|
},
|
||||||
],
|
],
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": ["s3:*"],
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point",
|
||||||
|
"arn:aws:s3:us-west-2:123456789012:accesspoint/my-access-point/object/*",
|
||||||
|
],
|
||||||
|
},
|
||||||
|
],
|
||||||
|
},
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user