如何访问在其他帐户中创建的AWS资源 [英] How to access aws resources created in other account
问题描述
在我的用例中,我想访问在AWS账户A中创建的 DynamoDB
表和在账户B中创建的Lambda。为此,我在Internet上关注了许多参考资料,我使用AWS担任角色功能。
我已在Lambda执行角色中添加以下权限
In my use case, I want to access DynamoDB
table created in AWS account A and Lambda created in account B. For this I have followed many references on Internet which suggests me to use AWS assume role feature.
I have added following permission in Lambda execution role
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::aws-account-A-number:role/test-db-access"
}
}
以下是Lambda的信任关系
Following is the trust relationship of Lambda
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-A-number:root"
},
"Action": "sts:AssumeRole"
}
]
}
在帐户中A,我已经创建了角色(test-db-access)以允许其他人访问此帐户,并添加了 A mazonDynamoDBFullAccess
和AdministratorAccess策略。以下是我在此帐户中添加的信任关系
In account A, I have created role(test-db-access) for allowing others to access this account and added AmazonDynamoDBFullAccess
and AdministratorAccess policies. Following is the trust relationship I have added in this account
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::aws-account-B-number:role/sam-dev-test-
TestLambda-LambdaRole-1FH5IC18J0MYT"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
以下是我添加的用于访问Dynamo数据库实例的Java代码
Following is the Java code I have added to access Dynamo DB instance
AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
.withRoleArn("arn:aws:iam::aws-account-A-number:role/test-db-access").withRoleSessionName("cross_acct_lambda").withDurationSeconds(900);
final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withRegion("eu-west-1").build();
final Credentials credentials = sts.assumeRole(assumeRequest).getCredentials();
以下是执行lambda的崩溃日志
following is the crash log coming on executing lambda
{
errorMessage:用户:arn:aws:sts :: aws-account-B-number:assumed-role / sam-dev-test-TestLambda-LambdaRole- 1FH5IC18J0MYT / sam-dev-test-TestLambda-LambdaFunction-73TVOBN6VXXX无权执行:资源上的sts:AssumeRole:arn:aws:iam :: aws-account-A-number:role / test-db-access(服务: AWSSecurityTokenService;状态代码:403;错误代码:AccessDenied;请求ID:100bd3a3-3f9c-11ea-b642-d3b4d9ff35de),
errorType: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException
}
推荐答案
看来您的要求是:
- 从
Account-B
中的AWS Lambda函数访问Account-A中的DynamoDB表
- From an AWS Lambda function in
Account-B
, access a DynamoDB table inAccount-A
为了重现您的情况,我做了以下操作:
To reproduce your situation I did the following:
- 在
Account-A
- 在
角色-A
) > Account-A 具有以下策略:
- Created a DynamoDB table in
Account-A
- Created an IAM Role (
Role-A
) inAccount-A
with the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:ap-southeast-2:<Account-A>:table/Inventory"
}
]
}
此信任关系(指向下一步创建的角色):
And this Trust Relationship (pointing to the Role created in the next step):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<Account-B>:role/role-b"
},
"Action": "sts:AssumeRole"
}
]
}
- 在
Role-B
) >帐户B 用于Lambda函数,使用以下政策: - Created an IAM Role (
Role-B
) inAccount-B
for use with the Lambda function, with this policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<Account-A>:role/role-a"
}
]
}
并且具有这种信任关系:
And with this Trust Relationship:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
- 在
Account-B中创建AWS Lambda函数
将:
- 在
中假设
角色-A
帐户A - 访问
帐户A
- Created an AWS Lambda function in
Account-B
that will:- Assume
Role-A
inAccount-A
- Access the DynamoDB table in
Account-A
我是Python人,所以我的函数
I'm a Python person, so my function is:
import boto3 def lambda_handler(event, context): # Assume Role sts_client = boto3.client('sts') response = sts_client.assume_role( RoleArn='arn:aws:iam::<Account-A>:role/stack-role-a', RoleSessionName='bar') session = boto3.Session( aws_access_key_id=response['Credentials']['AccessKeyId'], aws_secret_access_key=response['Credentials']['SecretAccessKey'], aws_session_token=response['Credentials']['SessionToken'] ) # Update DynamoDB dynamodb_client = session.client('dynamodb') dynamodb_client.update_item( TableName='Inventory', Key={'Item': {'S': 'foo'}}, UpdateExpression="ADD #count :increment", ExpressionAttributeNames = { '#count': 'count' }, ExpressionAttributeValues = { ':increment': {'N': '1'}, } )
我通过在
Account-B
中的Lambda函数上单击 Test 进行了测试。它成功更新了Account-A
中的DynamoDB表。I tested this by clicking Test on the Lambda function in
Account-B
. It successfully updated the DynamoDB table inAccount-A
.我怀疑有区别与您的信任策略有关,似乎有些不同。
I suspect the difference is with your trust policies, which appear to be a little bit different.
这篇关于如何访问在其他帐户中创建的AWS资源的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
- Assume
中的DynamoDB表 - 在