限制对名称中带有通配符的CodeCommit分支的访问的AWS IAM策略

Question

亚马逊现在支持通过IAM策略逐个分支地限制对CodeCommit存储库的访问。

我已经使用下面的策略形式成功地拒绝了对特定分支的访问，但找不到一种方法来拒绝对以特定名称开头的所有分支的访问。例如: master和develop是具体的分支，但是我有release-1，release-2等等，我也想否认。我想要的是能够使用通配符。我尝试过release-*，但没有起作用。它们的格式是否包含通配符在"codecommit:References"？

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "codecommit:GitPush",
                "codecommit:DeleteBranch",
                "codecommit:PutFile",
                "codecommit:MergePullRequestByFastForward"
            ],
            "Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
            "Condition": {
                "StringEqualsIfExists": {
                    "codecommit:References": [
                        "refs/heads/master",
                        "refs/heads/develop",
                        "refs/heads/release-[now what]"
                    ]
                },
            "Null": {
                "codecommit:References": false
                }
            }
        }
    ]
}

Answer 1

这是一个IAM策略，它应该支持这里列出的所有条件运算符：https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html。但是，由于GitPush操作本身在幕后涉及两个单独的操作，为了实现预期的行为，应该使用..IfExists条件运算符系列。也就是说，为了在这种情况下使用通配符，应该使用StringLikeIfExists。您的策略可以是这样的：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Deny",
            "Action": [
                "codecommit:GitPush"
            ],
            "Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
            "Condition": {
                "StringLikeIfExists": {
                    "codecommit:References": [
                        "refs/heads/release-*"
                    ]
                },
            "Null": {
                "codecommit:References": false
                }
            }
        },
        {
            "Effect": "Deny",
            "Action": [
                "codecommit:GitPush",
                "codecommit:DeleteBranch",
                "codecommit:PutFile",
                "codecommit:MergePullRequestByFastForward"
            ],
            "Resource": "arn:aws:codecommit:us-east-2:80398EXAMPLE:MyDemoRepo",
            "Condition": {
                "StringEqualsIfExists": {
                    "codecommit:References": [
                        "refs/heads/master",
                        "refs/heads/prod"
                    ]
                },
            "Null": {
                "codecommit:References": false
                }
            }
        }
    ]
}

这样，通配符匹配和精确匹配都应该得到支持。