Ok, I figured out what is unclear about AWS IAM policy grammar. It is about the implementation of the { subject, { predicate, object } } triple /triplet /3-tuple.
- BASIS :
- Policies are written as a predicates, which means they lack a subject. When policies are attached to a subject, a.k.a. a principal, the policies-as-predicate are interpreted in the context of that principal-as-subject.
- ISSUE ARISING :
- Without knowing the subject of a policy-as-predicate, it's not apparent what the policy-as-predicate is about.
- BASIS :
- Policies-as-predicates must specify resources-as-objects.
- ISSUE ARISING :
- Some policies-as-predicates specify the object key, "principal", which indeed specifies an authorised subject, however again it is not explicit what the predicate and its object are. Of course, by skipping steps of logic, it turns out that intuitively the current policy is a policy-as-predicate, and the specified principal is a principal-as-subject, indeed it is a principal-as-both-subject-and-object.
No comments :
Post a Comment