# 允许AWS服务访问 aws:PrincipalIsAWSService `aws:PrincipalIsAWSService: null` 这种情况会在AWS IAM策略评估期间出现,表示请求的发出者**不是**一个AWS服务。 换句话说,请求并非来自AWS内部的服务,而是来自外部的实体,例如: * **IAM用户:** 直接登录AWS控制台或使用AWS CLI的用户。 * **IAM角色:** 由IAM用户或其他AWS服务所承担的角色。 * **Federated用户:** 通过诸如SAML或OIDC之类的联合身份提供商进行身份验证的用户。 #### Bool in an Allow Statement
Policy ConditionRequest ContextResult
"Bool": {
  "aws:PrincipalIsAWSService": "true"
}
aws:PrincipalIsAWSService: nullNot Allowed Not AllowedStatement does not apply
"Bool": {
  "aws:PrincipalIsAWSService": "true"
}
aws:PrincipalIsAWSService: trueAllowed AllowedAssuming no explicit Deny elsewhere
"Bool": {
  "aws:PrincipalIsAWSService": "true"
}
aws:PrincipalIsAWSService: falseNot Allowed Not AllowedStatement does not apply
BoolIfExists in an Allow Statement
Policy ConditionRequest ContextResult
"BoolIfExists": {
  "aws:PrincipalIsAWSService": "true"
}
aws:PrincipalIsAWSService: nullAllowed AllowedAssuming no explicit Deny elsewhere
"BoolIfExists": {
  "aws:PrincipalIsAWSService": "true"
}
aws:PrincipalIsAWSService: trueAllowed AllowedAssuming no explicit Deny elsewhere
"BoolIfExists": {
  "aws:PrincipalIsAWSService": "true"
}
aws:PrincipalIsAWSService: falseNot Allowed Not AllowedStatement does not apply