blocks|key|2669071|text|您可以创建一个KMS键，然后为KMS键创建一个策略，该策略只授予您所需的角色访问权限。如下所示：|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|2669072|​|2669073|{
++++"Version":+"2012-10-17",
++++"Id":+"key-default-admin",
++++"Statement":+[
++++++++{
++++++++++++"Sid":+"Enable+IAM+User+Permissions",
++++++++++++"Effect":+"Allow",
++++++++++++"Principal":+{
++++++++++++++++"AWS":+"arn:aws:iam::<AWS_ACCOUNT_ID>:root"
++++++++++++},
++++++++++++"Action":+"kms:*",
++++++++++++"Resource":+"*"
++++++++},
++++++++{
++++++++++++"Sid":+"Allow+administration+of+the+key",
++++++++++++"Effect":+"Allow",
++++++++++++"Principal":+{
++++++++++++++++"AWS":+[
++++++++++++++++++++"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>",
++++++++++++++++++++"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
++++++++++++++++]
++++++++++++},
++++++++++++"Action":+[
++++++++++++++++"kms:Create*",
++++++++++++++++"kms:Describe*",
++++++++++++++++"kms:Enable*",
++++++++++++++++"kms:List*",
++++++++++++++++"kms:Put*",
++++++++++++++++"kms:Update*",
++++++++++++++++"kms:Revoke*",
++++++++++++++++"kms:Disable*",
++++++++++++++++"kms:Get*",
++++++++++++++++"kms:Delete*",
++++++++++++++++"kms:ScheduleKeyDeletion",
++++++++++++++++"kms:CancelKeyDeletion"
++++++++++++],
++++++++++++"Resource":+"*"
++++++++},
++++++++{
++++++++++++"Sid":+"Allow+use+of+the+key",
++++++++++++"Effect":+"Allow",
++++++++++++"Principal":+{
++++++++++++++++"AWS":+[
++++++++++++++++++++"arn:aws:iam::<AWS_ACCOUNT_ID>:role/AdminRole",
++++++++++++++++++++"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
++++++++++++++++]
++++++++++++},
++++++++++++"Action":+[
++++++++++++++++"kms:DescribeKey",
++++++++++++++++"kms:Encrypt",
++++++++++++++++"kms:Decrypt",
++++++++++++++++"kms:ReEncrypt*",
++++++++++++++++"kms:GenerateDataKey",
++++++++++++++++"kms:GenerateDataKeyWithoutPlaintext"
++++++++++++],
++++++++++++"Resource":+"*"
++++++++},
++++++++{
++++++++++++"Sid":+"Deny+use+of+the+key",
++++++++++++"Effect":+"Deny",
++++++++++++"Principal":+{
++++++++++++++++"AWS":+"arn:aws:iam::<AWS_ACCOUNT_ID>:root"
++++++++++++},
++++++++++++"Action":+"kms:*",
++++++++++++"Resource":+"*",
++++++++++++"Condition":+{
++++++++++++++++"StringNotLike":+{
++++++++++++++++++++"aws:PrincipalArn":+[
++++++++++++++++++++++++"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>",
++++++++++++++++++++++++"arn:aws:iam::<AWS_ACCOUNT_ID>:role/<ROLE_NAME>"
++++++++++++++++++++]
++++++++++++++++}
++++++++++++}
++++++++}
++++]
}|code-block|syntax|javascript|2669074|2669075|entityMap|0|LINK|mutability|MUTABLE|url|https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html^0|7|4|0|0|0|0|0^^$0|@$1|2|3|4|5|6|7|T|8|@]|9|@$A|U|B|V|1|W]]|C|$]]|$1|D|3|E|5|6|7|X|8|@]|9|@]|C|$]]|$1|F|3|G|5|H|7|Y|8|@]|9|@]|C|$I|J]]|$1|K|3|E|5|6|7|Z|8|@]|9|@]|C|$]]|$1|L|3|-4|5|6|7|10|8|@]|9|@]|C|$]]]|M|$N|$5|O|P|Q|C|$R|S]]]]

<p>You could create a <a href="https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html" rel="nofollow noreferrer">KMS key</a> then create a policy for the KMS key which grants access only to the roles you need. Something like below:</p>
<p><div class="snippet" data-lang="js" data-hide="false" data-console="true" data-babel="false">
<div class="snippet-code">
<pre class="snippet-code-html lang-html prettyprint-override"><code>{
    "Version": "2012-10-17",
    "Id": "key-default-admin",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:root"
            },
            "Action": "kms:*",
            "Resource": "*"
        },
        {
            "Sid": "Allow administration of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/&lt;ROLE_NAME&gt;",
                    "arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/&lt;ROLE_NAME&gt;"
                ]
            },
            "Action": [
                "kms:Create*",
                "kms:Describe*",
                "kms:Enable*",
                "kms:List*",
                "kms:Put*",
                "kms:Update*",
                "kms:Revoke*",
                "kms:Disable*",
                "kms:Get*",
                "kms:Delete*",
                "kms:ScheduleKeyDeletion",
                "kms:CancelKeyDeletion"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Allow use of the key",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/AdminRole",
                    "arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/&lt;ROLE_NAME&gt;"
                ]
            },
            "Action": [
                "kms:DescribeKey",
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:ReEncrypt*",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlaintext"
            ],
            "Resource": "*"
        },
        {
            "Sid": "Deny use of the key",
            "Effect": "Deny",
            "Principal": {
                "AWS": "arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:root"
            },
            "Action": "kms:*",
            "Resource": "*",
            "Condition": {
                "StringNotLike": {
                    "aws:PrincipalArn": [
                        "arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/&lt;ROLE_NAME&gt;",
                        "arn:aws:iam::&lt;AWS_ACCOUNT_ID&gt;:role/&lt;ROLE_NAME&gt;"
                    ]
                }
            }
        }
    ]
}</code></pre>
</div>
</div>
</p>


blocks|key|2669138|text|我能够通过在资源策略上使用一个条件并指定aws中角色的ARN+(Ref：https://aws.amazon.com/blogs/security/iam-makes-it-easier-to-manage-permissions-for-aws-services-accessing-resources/)来实现这一点。|type|unstyled|depth|inlineStyleRanges|entityRanges|offset|length|data|2669139|{
++"Version"+:+"2012-10-17",
++"Statement"+:+[+
++++{
++++++++"Sid"+:+"Get",
++++++++"Effect"+:+"Deny",
++++++++"Principal"+:+"*",
++++++++"Action"+:+"secretsmanager:GetSecretValue",
++++++++"Resource"+:+"<<ARN+OF+Secret>>",
++++++++"Condition"+:+{
++++++++++"StringNotLike"+:+{
++++++++++++"aws:PrincipalArn"+:+[+
++++++++++++++++"<<ARN+of+IAM_role_that_need_to_access_the_secret>>"+]
++++++++++}
++++}
++}+]
}|code-block|syntax|javascript|2669140|entityMap|0|LINK|mutability|MUTABLE|url|https://aws.amazon.com/blogs/security/iam-makes-it-easier-to-manage-permissions-for-aws-services-accessing-resources/^0|10|39|0|0|0^^$0|@$1|2|3|4|5|6|7|Q|8|@]|9|@$A|R|B|S|1|T]]|C|$]]|$1|D|3|E|5|F|7|U|8|@]|9|@]|C|$G|H]]|$1|I|3|-4|5|6|7|V|8|@]|9|@]|C|$]]]|J|$K|$5|L|M|N|C|$O|P]]]]

<p>I was able to achieve this with using a Condition on the Resource Policy and specifying the ARN of the Role in aws:PrincipalArn (Ref: <a href="https://aws.amazon.com/blogs/security/iam-makes-it-easier-to-manage-permissions-for-aws-services-accessing-resources/" rel="nofollow noreferrer">https://aws.amazon.com/blogs/security/iam-makes-it-easier-to-manage-permissions-for-aws-services-accessing-resources/</a>)</p>
<pre><code>{
  &quot;Version&quot; : &quot;2012-10-17&quot;,
  &quot;Statement&quot; : [ 
    {
        &quot;Sid&quot; : &quot;Get&quot;,
        &quot;Effect&quot; : &quot;Deny&quot;,
        &quot;Principal&quot; : &quot;*&quot;,
        &quot;Action&quot; : &quot;secretsmanager:GetSecretValue&quot;,
        &quot;Resource&quot; : &quot;&lt;&lt;ARN OF Secret&gt;&gt;&quot;,
        &quot;Condition&quot; : {
          &quot;StringNotLike&quot; : {
            &quot;aws:PrincipalArn&quot; : [ 
                &quot;&lt;&lt;ARN of IAM_role_that_need_to_access_the_secret&gt;&gt;&quot; ]
          }
    }
  } ]
}
</code></pre>


<p>I have a secret in secrets manager and there are multiple IAM roles in the system. I only want only one role to access the scecret. Unfortunately there are some other IAM roles that have full Secrets Manager privileges. So i want to restrict the access to the secret to all other roles except desired one by me.</p>
<p>roles</p>
<ol>
<li>IAM_role_that_need_to_access_the_secret.</li>
<li>IAM_role_1_that_should_not_access_the_secret.</li>
<li>IAM_role_2_that_should_not_access_the_secret.</li>
</ol>
<p>The following is working.</p>
<pre><code>    {
  &quot;Version&quot;: &quot;2012-10-17&quot;,
  &quot;Statement&quot;: [
    {
      &quot;Effect&quot;: &quot;Deny&quot;,
      &quot;Action&quot;: &quot;secretsmanager:GetSecretValue&quot;,
      &quot;Principal&quot;: {
        &quot;AWS&quot;: &quot;arn:aws:iam::IAM_role_1_that_should_not_access_the_secret&quot;,
        &quot;AWS&quot;: &quot;arn:aws:iam::IAM_role_2_that_should_not_access_the_secret&quot;
      },
      &quot;Resource&quot;: &quot;*&quot;
    },
    {
      &quot;Effect&quot;: &quot;Allow&quot;,
      &quot;Principal&quot;: {
        &quot;AWS&quot;: &quot;arn:aws:iam::IAM_role_that_need_to_access_the_secret&quot;
      },
      &quot;Action&quot;: &quot;secretsmanager:GetSecretValue&quot;,
      &quot;Resource&quot;: &quot;*&quot;,
      &quot;Condition&quot;: {
        &quot;ForAnyValue:StringEquals&quot;: {
          &quot;secretsmanager:VersionStage&quot;: &quot;AWSCURRENT&quot;
        }
      }
    }
  ]
}
</code></pre>
<p>But i want to Deny access to all roles without explicitly mentioning each of them in the Deny permission section. Something like below. But it will restrict to all roles including the desired role.</p>
<pre><code>    {
  &quot;Version&quot;: &quot;2012-10-17&quot;,
  &quot;Statement&quot;: [
    {
      &quot;Effect&quot;: &quot;Deny&quot;,
      &quot;Action&quot;: &quot;secretsmanager:GetSecretValue&quot;,
      &quot;Principal&quot;: {&quot;AWS&quot;: &quot;*&quot;},
      &quot;Resource&quot;: &quot;*&quot;
    },
    {
      &quot;Effect&quot;: &quot;Allow&quot;,
      &quot;Principal&quot;: {
        &quot;AWS&quot;: &quot;arn:aws:iam::IAM_role_that_need_to_access_the_secret&quot;
      },
      &quot;Action&quot;: &quot;secretsmanager:GetSecretValue&quot;,
      &quot;Resource&quot;: &quot;*&quot;,
      &quot;Condition&quot;: {
        &quot;ForAnyValue:StringEquals&quot;: {
          &quot;secretsmanager:VersionStage&quot;: &quot;AWSCURRENT&quot;
        }
      }
    }
  ]
}
</code></pre>


AWS Secrets Manager Resource Policy to Deny all roles Except one Role

翻译质量差，导致语言生硬或混乱。

没有提供实际的解决方法或示例。

解答不清晰，无法理解或解决问题。

页面排版不美观，阅读体验差。

文章

问答

视频

学习中心

腾讯云实验室

直播

竞赛

腾讯云代码分析专区

腾讯iOA零信任安全管理系统专区

腾讯云架构师技术同盟交流圈

腾讯云数据库专区

腾讯云顾问专区

腾讯云原生专区

腾讯混元专区

腾讯云TCE专区

腾讯云Lighthouse专区

腾讯云HAI专区

腾讯云Edgeone专区

腾讯云存储专区

腾讯云智能专区

腾讯轻联专区 

腾讯云开发专区

TAPD专区

腾讯轻量云游戏服专区

腾讯云最具价值专家

腾讯云架构师技术同盟

腾讯云创作之星

腾讯云开发者先锋

腾讯云代码助手

云原生构建

TAPD 敏捷项目管理

Cloud Studio

SDK中心

API中心

命令行工具

涵盖代码开发、场景应用、自动测试全流程，助你从零构建专属AI助手

一站式MCP教程库，解锁AI应用新玩法

我在秘密经理中有一个秘密，系统中有多个IAM角色。我只想要一个角色进入剪刀。不幸的是，还有一些其他IAM角色拥有完整的秘密管理器特权。因此，我想限制对所有其他角色的秘密的访问，除了我想要的角色。角色IAM_role_that_need_to_access_the_secret。IAM_role_1_that_shoul...

问AWS秘密管理器资源策略以拒绝除一个角色之外的所有角色
EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问AWS秘密管理器资源策略以拒绝除一个角色之外的所有角色EN

社区

活动

圈层

关于

腾讯云开发者

热门产品

热门推荐

更多推荐

问AWS秘密管理器资源策略以拒绝除一个角色之外的所有角色
EN