S3存储桶策略，如何从另一个帐户允许IAM组? [英] S3 bucket policy, how to ALLOW a IAM group from another account?

问题描述

我在一个AWS账户(例如arn:aws:s3:::my-test-bucket)中有一个S3存储桶，需要由另一个AWS账户(例如arn:aws:iam::1111222333444:group/mygroup)中定义的IAM组访问.以下访问策略拒绝保存，并告知arn:aws:s3:::my-test-bucket是无效的主体.

I have one S3 bucket in one AWS account (say arn:aws:s3:::my-test-bucket), that needs to be accessed by a IAM group that is defined in another AWS account (say arn:aws:iam::1111222333444:group/mygroup). The following access policy refuses to save, and tells that arn:aws:s3:::my-test-bucket is an invalid principal.

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:List*",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111222333444:group/mygroup"
            },
            "Resource": [
                "arn:aws:s3:::my-test-bucket",
                "arn:aws:s3:::my-test-bucket/*"
            ],
            "Sid": "allow-put-for-dedicated-group"
        }
    ],
}

我已经通过用另一个帐户的用户之一替换该组的方式进行了测试，并且可以正常工作:

I have tested by replacing the group with one of the users of the other account and this works:

{
    "Statement": [
        {
            "Action": [
                "s3:ListBucket",
                "s3:PutObject",
                "s3:List*",
                "s3:Get*"
            ],
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::1111222333444:user/me"
            },
            "Resource": [
                "arn:aws:s3:::my-test-bucket",
                "arn:aws:s3:::my-test-bucket/*"
            ],
            "Sid": "allow-put-for-dedicated-user"
        }
    ],
}

该组存在，我不明白为什么它说它是无效的主体.实际上，它不接受我的其他帐户的任何组.

The group is existing, I do not understand why it says it is an invalid principal. In fact it does not accept any group of my other account.

有人对此行为有解释(可能是解决方案)吗?

Does anyone have an explanation (and possibly a solution) to this behaviour?

预先感谢， 干杯

推荐答案

IAM组无效原理.请参阅此AWS论坛帖子和

IAM groups are not valid principals in S3 bucket policies. See this AWS forum post and this SO post for more discussion.

这是一个主意:在帐户#1(具有S3存储桶的帐户)中创建IAM角色(例如cross-account-s3).该角色应具有允许适当的S3存储桶访问的策略，并且应具有表示帐户#2受sts:AssumeRole信任的信任关系.然后在帐户2中，将承担cross-account-s3角色的权限委派给相关的IAM组.这要求您信任第二个帐户中的IAM管理员，以不允许错误的用户承担cross-account-s3角色.

Here's one idea: create an IAM role (for example cross-account-s3) in account #1 (the account with the S3 bucket). That role should have a policy that allows the appropriate S3 bucket access and it should have a trust relationship that says account #2 is trusted for sts:AssumeRole. Then in account #2, delegate permission to assume the cross-account-s3 role to the relevant IAM group. This requires you to trust the IAM admins in the 2nd account to not allow the wrong users to assume the cross-account-s3 role.

这篇关于S3存储桶策略，如何从另一个帐户允许IAM组?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！