Reading and using this
http://docs.aws.amazon.com/cli/latest/reference/sqs/add-permission.html ,
but I can't see a way to add a 'deny' rule for a user+action combination, it is adding an 'allow' rule by default, and I can't seem to modify it.
Through the web management console, you can easily add 'deny' rules.
Ideas?
Update: It looks as if the actual answer is the CLI tool simply offers limited functionality when it comes to permissions unless you want to write your own policy document, but the first part of my answer was incorrect:
As I understand it, SQS
permissions don't "deny" -- they only "allow", but the "allow" can be subject to
conditions you can add in the console or via the API to associate other "but only if" tests with the permission such as date ranges and IP address ranges.
It looks like the design of the CLI is such that conditions [add: and policies with "Effect = Deny"] aren't handled by add-permission
, which only supports simple grants... to attach conditions, you have to generate a policy document, which you can attach with set-queue-attributes
.
add-permission
writes an SQS-generated policy. If you want to write your own policy, useset-queue-attributes
to upload your policy.
Reading and using this
http://docs.aws.amazon.com/cli/latest/reference/sqs/add-permission.html ,
but I can't see a way to add a 'deny' rule for a user+action combination, it is adding an 'allow' rule by default, and I can't seem to modify it.
Through the web management console, you can easily add 'deny' rules.
Ideas?
Update: It looks as if the actual answer is the CLI tool simply offers limited functionality when it comes to permissions unless you want to write your own policy document, but the first part of my answer was incorrect:
As I understand it, SQS
permissions don't "deny" -- they only "allow", but the "allow" can be subject to
conditions you can add in the console or via the API to associate other "but only if" tests with the permission such as date ranges and IP address ranges.
It looks like the design of the CLI is such that conditions [add: and policies with "Effect = Deny"] aren't handled by add-permission
, which only supports simple grants... to attach conditions, you have to generate a policy document, which you can attach with set-queue-attributes
.
add-permission
writes an SQS-generated policy. If you want to write your own policy, useset-queue-attributes
to upload your policy.
0 commentaires:
Enregistrer un commentaire