amazon-web-services - 根据条件键创建 RDS 实例时出错

问题描述

我将以下 scp 策略附加到我的帐户，以阻止创建没有项目标签的 rds 实例。

{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "DenyCreateDBInstanceNoProjectTag",
          "Effect": "Deny",
          "Action": "rds:CreateDBInstance",
          "Resource": "arn:aws:rds:*:*:db:*",
          "Condition": {
            "Null": {
              "aws:RequestTag/Project": "true"
            }
          }
        }
      ]
    }

但是，当我使用 Project 标签创建 RDS 实例时，我收到拒绝访问错误，找不到匹配项：[Key=Project]。

aws rds create-db-instance \
    --allocated-storage 20 --db-instance-class db.m1.small \
    --db-instance-identifier mydbinstance \
    --engine mysql \
    --enable-cloudwatch-logs-exports '["audit","error","general","slowquery"]' \
    --master-username ***** \
    --master-user-password ***** 
    --tags [{"Key"="Project","Value"="test"}]

An error occurred (AccessDenied) when calling the CreateDBInstance operation: User: arn:aws:sts::*********:assumed-role/*****/****** is not authorized to perform: rds:CreateDBInstance on resource: arn:aws:rds:******:*********:db:mydbinstance with an explicit deny
exit status 254
zsh: no matches found: [Key=Project]

标签： amazon-web-servicesamazon-rds