IAM权限策略可以用于允许访问跨帐户资源吗? [英] Can IAM permission policy used to allow access to cross account resource?

问题描述

我的理解是，

服务控制策略和基于资源的策略主要用于允许/拒绝跨帐户访问资源.

Service control policy and resource based policies are mainly used to allow/deny cross account access to resources.

从此处解释的策略评估过程中，我了解到IAM权限策略(托管或内联)用于在AWS帐户内授予/拒绝Principal 的权限.

From the policy evaluation procedure explained here, I learned that IAM permission policy(managed or inline) is used to grant/deny permissions to Principal within an AWS account.

{
 "Version": "2012-10-17",
 "Statement": [

     {
         "Action": "sts:AssumeRole",
         "Resource": "arn:aws:iam::*:role/Somerole",
         "Effect": "Allow"
     }
 ]
}

但是上面是IAM权限策略，用于向源帐户中的Principal授予权限，以便可以访问(sts::AssumeRole)其他帐户资源(Somerole).

But above is the IAM permission policy, written to grant permissions to Principal in the source account, to have access(sts::AssumeRole) to other account resources(Somerole).

是否可以将IAM权限策略定义为允许源AWS帐户中的Principal获得权限(sts:AssumeRole)来访问其他帐户(*:role)中存在的资源(Somerole)?在我们的情况下，Principal是源AWS账户中的 IAM角色.

Can IAM permission policy be defined to allow Principal in source AWS account get permissions(sts:AssumeRole) to access resources(Somerole) that are present in other accounts(*:role)? In our case Principal is an IAM role in the source AWS account.

推荐答案

另一个帐户需要已授予对该帐户的访问权限.另一个帐户中的角色将需要与此类似的信任关系(通常还会为其添加条件):

The other account would need to have granted access to the account. The role in the other account would need a trust relationship similar to this (often it has conditions added to it as well):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<AccountId_A>:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

此示例假定您是在其中授予IAM权限的帐户.

This example assumes that is the account you are granting the IAM permission in.

这篇关于IAM权限策略可以用于允许访问跨帐户资源吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！