CloudWatch Evidently の EvaluateFeature の実行に必要な最低限のポリシー
michimanievidently:EvaluateFeature だけを実行するために必要な最低限の IAM ポリシーを知りたい
michimaniIAM のドキュメント見ると Feature* が対象の ResourceType になってる。
michimani適当に作った Project, Feature で試す。(間違えてバージニア北部に作ってしまった)
{
"feature": {
"arn": "arn:aws:evidently:us-east-1:000000000000:project/policy-test/feature/color",
"createdTime": "2022-03-16T22:08:40.543000+09:00",
"defaultVariation": "RED",
"entityOverrides": {
"colorful": "RAINBOW"
},
"evaluationRules": [
{
"name": "arn:aws:evidently:us-east-1:000000000000:project/policy-test/launch/color-launch",
"type": "aws.evidently.splits"
}
],
"evaluationStrategy": "ALL_RULES",
"lastUpdatedTime": "2022-03-16T22:09:25.919000+09:00",
"name": "color",
"project": "arn:aws:evidently:us-east-1:000000000000:project/policy-test",
"status": "AVAILABLE",
"tags": {},
"valueType": "STRING",
"variations": [
{
"name": "BLUE",
"value": {
"stringValue": "blue"
}
},
{
"name": "GREEN",
"value": {
"stringValue": "green"
}
},
{
"name": "RAINBOW",
"value": {
"stringValue": "rainbow"
}
},
{
"name": "RED",
"value": {
"stringValue": "red"
}
}
]
}
}
とりあえず Feature だけリソース指定してみる。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"evidently:EvaluateFeature"
],
"Resource": [
"arn:aws:evidently:us-east-1:000000000000:project/*-test/feature/*"
]
}
]
}
❯ aws evidently evaluate-feature \
--project policy-test \
--feature color \
--entity-id 'hote' \
--region us-east-1 \
--profile debug
An error occurred (AccessDeniedException) when calling the EvaluateFeature operation: User: arn:aws:iam::000000000000:user/DemoUser is not authorized to perform: evidently:EvaluateFeature on resource: arn:aws:evidently:us-east-1:000000000000:project/policy-test because no identity-based policy allows the evidently:EvaluateFeature action
はい。
michimani次はプロジェクトも指定してみる。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"evidently:EvaluateFeature"
],
"Resource": [
"arn:aws:evidently:us-east-1:000000000000:project/*-test",
"arn:aws:evidently:us-east-1:000000000000:project/*-test/feature/*"
]
}
]
}
An error occurred (AccessDeniedException) when calling the EvaluateFeature operation: User: arn:aws:iam::000000000000:user/DemoUser is not authorized to perform: evidently:EvaluateFeature on resource: arn:aws:evidently:us-east-1:000000000000:project/policy-test because no identity-based policy allows the evidently:EvaluateFeature action
はい。
というか
because no identity-based policy allows the evidently:EvaluateFeature action
って何。
michimaniGetFeature も許可してみる。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"evidently:EvaluateFeature",
"evidently:GetFeature"
],
"Resource": [
"arn:aws:evidently:us-east-1:000000000000:project/*-test",
"arn:aws:evidently:us-east-1:000000000000:project/*-test/feature/*"
]
}
]
}
An error occurred (AccessDeniedException) when calling the EvaluateFeature operation: User: arn:aws:iam::000000000000:user/DemoUser is not authorized to perform: evidently:EvaluateFeature on resource: arn:aws:evidently:us-east-1:000000000000:project/policy-test because no identity-based policy allows the evidently:EvaluateFeature action
変わらず。
michimaniGetProject も許可してみる。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"evidently:EvaluateFeature",
"evidently:GetFeature",
"evidently:GetProject"
],
"Resource": [
"arn:aws:evidently:us-east-1:000000000000:project/*-test",
"arn:aws:evidently:us-east-1:000000000000:project/*-test/feature/*"
]
}
]
}
❯ aws evidently evaluate-feature \
--project policy-test \
--feature color \
--entity-id 'hote' \
--region us-east-1 \
--profile debug
{
"details": "{\"launch\":\"color-launch\",\"group\":\"V2\"}",
"reason": "LAUNCH_RULE_MATCH",
"value": {
"stringValue": "green"
},
"variation": "GREEN"
}
きた。
michimanifor i in `seq 10`; do
UUID=$(uuidgen) \
&& VALUE=$(aws evidently evaluate-feature \
--project policy-test \
--feature color \
--entity-id "${UUID}" \
--region us-east-1 \
--profile debug \
--query variation \
--output text) \
&& echo "${UUID}: ${VALUE}"
done
結果
67ACB105-FF98-40B0-A430-494C32C4BB51: RED
5E11F0D1-FFA7-4907-8087-674658CDD946: BLUE
2892EE7F-3710-40E8-8CE4-57829EC2F87C: BLUE
91523262-9F68-44CC-981F-E2963C1CF05A: GREEN
7765A2F5-B80E-4EF3-8897-5D98C3D9EA68: GREEN
526E855B-9540-4360-B9CE-8AC279794D9C: BLUE
6D7CE143-B5CF-4961-87B6-3E3FAB7BBBE1: RED
BAFD00D5-4385-40EA-B196-DADC43907B1B: RED
6CBFF425-5A67-4DA1-B706-AD399A89139D: BLUE
7FD21DA4-EC0B-49F0-8B0C-F0A29AF68D4B: GREEN
結論。
EvaluateFeature API 叩くには
evidently:EvaluateFeatureevidently:GetFeatureevidently:GetProject
のアクションの許可が必要。
michimanievidently:ListFeatures も叩きたい場合は Statement を分けてリソース * で指定する。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"evidently:ListFeatures"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"evidently:EvaluateFeature",
"evidently:GetFeature",
"evidently:GetProject"
],
"Resource": [
"arn:aws:evidently:us-east-1:000000000000:project/*-test",
"arn:aws:evidently:us-east-1:000000000000:project/*-test/feature/*"
]
}
]
}