Menu
In all of the IAM Policy examples, they mention using wildcards (*) as placeholders for "stuff". However, the examples always use them at the end, and/or only demonstrate with one wildcard (e.g. to list everything in folder "xyz" with .../xyz/*).
I can't find anything definitive regarding the use of multiple wildcards, for example to match anything in subfolders across multiple buckets:
arn:aws:s3:::mynamespace-property*/logs/*
to allow something to see any log files across a "production" (mynamespace-property-prod) and "sandbox" (mynamespace-property-sand) bucket.
535
Using wildcards in resource ARNs An asterisk (*) represents any combination of characters and a question mark (?) represents any single character. You can use multiple * or ? characters in each segment. The following example refers to all IAM users whose path is /accounting .
The inline policy character limits are 2,048 for users, 10,240 for roles, and 5,120 for groups.
In this example, wildcards are used in aws:userid to include all names that are passed by the calling process. For example, the wildcards are used for an application, service, or instance ID when calls are made to obtain temporary credentials.
The Statement element can contain a single statement or an array of individual statements. Each individual statement block must be enclosed in curly braces { }. For multiple statements, the array must be enclosed in square brackets [ ].
Not sure, but "all of a sudden" (you know what I'm talking about) it's working in the policy simulator with:
Where 'Policy 2' is:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "ExplicitlyDenyAnythingExceptOwnNamedFolder", "Action": [ "s3:*" ], "Effect": "Deny", "NotResource": [ "arn:aws:s3:::mynamespace-property*/subfolder/${aws:username}/*" ] } ] } As a sidenote, be aware that arn:aws:s3:::mynamespace-property*/${aws:username}/* (no explicit subfolder) will match both with and without "intervening" subfolders:
arn:aws:s3:::mynamespace-property-suffix/subfolder/theuser/files..."arn:aws:s3:::mynamespace-property-suffix/theuser/files..."
179
Yes, It will work
From the documentation:
You can use wildcards as part of the resource ARN. You can use wildcard characters (* and ?) within any ARN segment (the parts separated by colons). An asterisk (*) represents any combination of characters and a question mark (?) represents any single character. You can have use multiple * or ? characters in each segment, but a wildcard cannot span segments.
I am going to say the "You can have use multiple " is a typo in the doc and they mean "you can use".
34
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
