我想写一个IAM策略将控制对EC2实例。所有的EC2实例将有一个自定义标签名为用户名和只有在标签值相匹配的登录用户的用户名，将用户访问该EC2实例。这就是我想出了：

I am trying to write an IAM policy which will control access to ec2 instances. All ec2 instances will have a custom tag called username and only if the tag value matches the logged in user's user name, will that user have access to that ec2 instance. This is what I came up with:

{
"Version": "2012-10-12",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "ec2:*",
        "Resource": "*",
        "Condition": {
            "StringEquals": {
                "ec2:ResourceTag/username": "arn:aws:iam::account-number-without-hyphens:user/username1"
            }
        }
    }
]

}

我相信你在这里看到的问题。我不想为C在右手边的用户名值硬$ C $。我希望能够获得这些信息在运行时或政策的评估时间。

I am sure you see the problem here. I don't want to hard code the username value on the right hand side. I want to be able to get that information at runtime or policy evaluation time.

是否有可能这样做？

- 苏

推荐答案

该IAM用户可以通过 $ {AWS：用户名}被称为在政策文件中。

The IAM user can be referred to in policy documents by ${aws:username}.

还有其他的IAM政策变量列表，在这里它们的用途：

There is a list of other IAM policy variables and their uses here:

http://docs.aws.amazon.com/IAM/最新/ UserGuide / PolicyVariables.html