S3存储桶策略,如何从另一个帐户允许IAM组? [英] S3 bucket policy, how to ALLOW a IAM group from another account?
问题描述
我在一个AWS账户(例如arn:aws:s3:::my-test-bucket
)中有一个S3存储桶,需要由另一个AWS账户(例如arn:aws:iam::1111222333444:group/mygroup
)中定义的IAM组访问.以下访问策略拒绝保存,并告知arn:aws:s3:::my-test-bucket
是无效的主体.
I have one S3 bucket in one AWS account (say arn:aws:s3:::my-test-bucket
), that needs to be accessed by a IAM group that is defined in another AWS account (say arn:aws:iam::1111222333444:group/mygroup
). The following access policy refuses to save, and tells that arn:aws:s3:::my-test-bucket
is an invalid principal.
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:List*",
"s3:Get*"
],
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111222333444:group/mygroup"
},
"Resource": [
"arn:aws:s3:::my-test-bucket",
"arn:aws:s3:::my-test-bucket/*"
],
"Sid": "allow-put-for-dedicated-group"
}
],
}
我已经通过用另一个帐户的用户之一替换该组的方式进行了测试,并且可以正常工作:
I have tested by replacing the group with one of the users of the other account and this works:
{
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:List*",
"s3:Get*"
],
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1111222333444:user/me"
},
"Resource": [
"arn:aws:s3:::my-test-bucket",
"arn:aws:s3:::my-test-bucket/*"
],
"Sid": "allow-put-for-dedicated-user"
}
],
}
该组存在,我不明白为什么它说它是无效的主体.实际上,它不接受我的其他帐户的任何组.
The group is existing, I do not understand why it says it is an invalid principal. In fact it does not accept any group of my other account.
有人对此行为有解释(可能是解决方案)吗?
Does anyone have an explanation (and possibly a solution) to this behaviour?
预先感谢, 干杯
推荐答案
IAM groups are not valid principals in S3 bucket policies. See this AWS forum post and this SO post for more discussion.
这是一个主意:在帐户#1(具有S3存储桶的帐户)中创建IAM角色(例如cross-account-s3
).该角色应具有允许适当的S3存储桶访问的策略,并且应具有表示帐户#2受sts:AssumeRole
信任的信任关系.然后在帐户2中,将承担cross-account-s3
角色的权限委派给相关的IAM组.这要求您信任第二个帐户中的IAM管理员,以不允许错误的用户承担cross-account-s3角色.
Here's one idea: create an IAM role (for example cross-account-s3
) in account #1 (the account with the S3 bucket). That role should have a policy that allows the appropriate S3 bucket access and it should have a trust relationship that says account #2 is trusted for sts:AssumeRole
. Then in account #2, delegate permission to assume the cross-account-s3
role to the relevant IAM group. This requires you to trust the IAM admins in the 2nd account to not allow the wrong users to assume the cross-account-s3 role.
这篇关于S3存储桶策略,如何从另一个帐户允许IAM组?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!