付録G STS で属性ベースのアクセス制御にセッションタグを使用する例
次のリストには、STS での属性ベースのアクセス制御 (ABAC) のセッションタグの使用例が含まれています。
Web トークンで Keycloak によって渡されるセッションタグの例
{ "jti": "947960a3-7e91-4027-99f6-da719b0d4059", "exp": 1627438044, "nbf": 0, "iat": 1627402044, "iss": "http://localhost:8080/auth/realms/quickstart", "aud": "app-profile-jsp", "sub": "test", "typ": "ID", "azp": "app-profile-jsp", "auth_time": 0, "session_state": "3a46e3e7-d198-4a64-8b51-69682bcfc670", "preferred_username": "test", "email_verified": false, "acr": "1", "https://aws.amazon.com/tags": [ { "principal_tags": { "Department": [ "Engineering", "Marketing" ] } } ], "client_id": "app-profile-jsp", "username": "test", "active": true }
{
"jti": "947960a3-7e91-4027-99f6-da719b0d4059",
"exp": 1627438044,
"nbf": 0,
"iat": 1627402044,
"iss": "http://localhost:8080/auth/realms/quickstart",
"aud": "app-profile-jsp",
"sub": "test",
"typ": "ID",
"azp": "app-profile-jsp",
"auth_time": 0,
"session_state": "3a46e3e7-d198-4a64-8b51-69682bcfc670",
"preferred_username": "test",
"email_verified": false,
"acr": "1",
"https://aws.amazon.com/tags": [
{
"principal_tags": {
"Department": [
"Engineering",
"Marketing"
]
}
}
],
"client_id": "app-profile-jsp",
"username": "test",
"active": true
}
aws:RequestTag
の例
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["sts:AssumeRoleWithWebIdentity","sts:TagSession"], "Principal":{"Federated":["arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"]}, "Condition":{"StringEquals":{"aws:RequestTag/Department":"Engineering"}} }] }
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["sts:AssumeRoleWithWebIdentity","sts:TagSession"],
"Principal":{"Federated":["arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"]},
"Condition":{"StringEquals":{"aws:RequestTag/Department":"Engineering"}}
}]
}
aws:PrincipalTag
の例
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["s3:*"], "Resource":["arn:aws:s3::t1tenant:my-test-bucket","arn:aws:s3::t1tenant:my-test-bucket/*],"+ "Condition":{"StringEquals":{"aws:PrincipalTag/Department":"Engineering"}} }] }
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["s3:*"],
"Resource":["arn:aws:s3::t1tenant:my-test-bucket","arn:aws:s3::t1tenant:my-test-bucket/*],"+
"Condition":{"StringEquals":{"aws:PrincipalTag/Department":"Engineering"}}
}]
}
aws:ResourceTag
の例
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["sts:AssumeRoleWithWebIdentity","sts:TagSession"], "Principal":{"Federated":["arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"]}, "Condition":{"StringEquals":{"iam:ResourceTag/Department":"Engineering"}} }] }
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["sts:AssumeRoleWithWebIdentity","sts:TagSession"],
"Principal":{"Federated":["arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"]},
"Condition":{"StringEquals":{"iam:ResourceTag/Department":"Engineering"}}
}]
}
aws:TagKeys
の例
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["sts:AssumeRoleWithWebIdentity","sts:TagSession"], "Principal":{"Federated":["arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"]}, "Condition":{"ForAllValues:StringEquals":{"aws:TagKeys":["Marketing,Engineering"]}} }] }
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["sts:AssumeRoleWithWebIdentity","sts:TagSession"],
"Principal":{"Federated":["arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"]},
"Condition":{"ForAllValues:StringEquals":{"aws:TagKeys":["Marketing,Engineering"]}}
}]
}
- 1
ForAllValues:StringEquals
は、リクエスト内のすべてのタグキーがポリシー内のタグキーのサブセットであるかどうかをテストします。したがって、この条件は、リクエストで渡されるタグキーを制限します。
s3:ResourceTag
の例
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["s3:PutBucketTagging"], "Resource":["arn:aws:s3::t1tenant:my-test-bucket\","arn:aws:s3::t1tenant:my-test-bucket/*"] }, { "Effect":"Allow", "Action":["s3:*"], "Resource":["*"], "Condition":{"StringEquals":{"s3:ResourceTag/Department":\"Engineering"}} } }
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["s3:PutBucketTagging"],
"Resource":["arn:aws:s3::t1tenant:my-test-bucket\","arn:aws:s3::t1tenant:my-test-bucket/*"]
},
{
"Effect":"Allow",
"Action":["s3:*"],
"Resource":["*"],
"Condition":{"StringEquals":{"s3:ResourceTag/Department":\"Engineering"}}
}
}
- 1
- 上記を機能させるには、このポリシーを適用するバケットまたはオブジェクトに Department=Engineering タグを添付する必要があります。
iam:ResourceTag
を使用した aws:RequestTag
の例
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["sts:AssumeRoleWithWebIdentity","sts:TagSession"], "Principal":{"Federated":["arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"]}, "Condition":{"StringEquals":{"aws:RequestTag/Department":"${iam:ResourceTag/Department}"}} }] }
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["sts:AssumeRoleWithWebIdentity","sts:TagSession"],
"Principal":{"Federated":["arn:aws:iam:::oidc-provider/localhost:8080/auth/realms/quickstart"]},
"Condition":{"StringEquals":{"aws:RequestTag/Department":"${iam:ResourceTag/Department}"}}
}]
}
- 1
- これは、受信リクエスト内のタグとロールに付けられたタグを照合することで、ロールを引き受けることです。
aws:RequestTag
は JSON Web Token (JWT) の受信タグであり、iam:ResourceTag
は引き受けるロールに添付されたタグです。
s3:ResourceTag
を使用した aws:PrincipalTag
の例
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":["s3:PutBucketTagging"], "Resource":["arn:aws:s3::t1tenant:my-test-bucket\","arn:aws:s3::t1tenant:my-test-bucket/*"] }, { "Effect":"Allow", "Action":["s3:*"], "Resource":["*"], "Condition":{"StringEquals":{"s3:ResourceTag/Department":"${aws:PrincipalTag/Department}"}} } }
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":["s3:PutBucketTagging"],
"Resource":["arn:aws:s3::t1tenant:my-test-bucket\","arn:aws:s3::t1tenant:my-test-bucket/*"]
},
{
"Effect":"Allow",
"Action":["s3:*"],
"Resource":["*"],
"Condition":{"StringEquals":{"s3:ResourceTag/Department":"${aws:PrincipalTag/Department}"}}
}
}
- 1
- これは、プリンシパルタグと S3 リソースタグを照合して、ロールのアクセス許可ポリシーを評価するためです。
aws:PrincipalTag
は、一時的な認証情報とともに渡されるタグであり、s3:ResourceTag
は、オブジェクトまたはバケットである S3 リソースに添付されたタグです。