1 個回答
- 最新
- 最多得票
- 最多評論
1
You can use conditions in IAM policies to differentiate permissions based on the context of the AssumeRoleWithWebIdentity request. The policy can inspect the token.actions.githubusercontent.com:sub claim from the GitHub Actions token to apply different permissions based on the repository making the request. You can attach these policies to your single IAM role.
However, remember that this approach doesn't grant entirely separate sets of permissions for each repo. Instead, it applies conditions to the permissions based on which repo is making the request. Below is an example of how you can structure your IAM policies:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowS3ActionsForRepoFoo", "Effect": "Allow", "Action": [ "s3:PutObject", "s3:GetObject" // ... other S3 actions ], "Resource": "arn:aws:s3:::example-bucket-for-foo/*", "Condition": { "StringLike": { "aws:RequestTag/repo": "org/foo" } } }, { "Sid": "AllowEC2ActionsForRepoBar", "Effect": "Allow", "Action": [ "ec2:StartInstances", "ec2:StopInstances" // ... other EC2 actions ], "Resource": "*", "Condition": { "StringLike": { "aws:RequestTag/repo": "org/bar" } } } ] }
If this has answered your question or was helpful, accepting the answer would be greatly appreciated. Thank you!
相關內容
- 已提問 2 個月前
- AWS 官方已更新 1 年前
- AWS 官方已更新 9 個月前