如何访问在其他帐户中创建的AWS资源 [英] How to access aws resources created in other account

问题描述

在我的用例中，我想访问在AWS账户A中创建的 DynamoDB 表和在账户B中创建的Lambda。为此，我在Internet上关注了许多参考资料，我使用AWS担任角色功能。
我已在Lambda执行角色中添加以下权限

In my use case, I want to access DynamoDB table created in AWS account A and Lambda created in account B. For this I have followed many references on Internet which suggests me to use AWS assume role feature. I have added following permission in Lambda execution role

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::aws-account-A-number:role/test-db-access"
   }
}

以下是Lambda的信任关系

Following is the trust relationship of Lambda

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
           "Service": "lambda.amazonaws.com"
       },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
      "AWS": "arn:aws:iam::aws-account-A-number:root"
       },
     "Action": "sts:AssumeRole"
    }
  ]
}

在帐户中A，我已经创建了角色（test-db-access）以允许其他人访问此帐户，并添加了 A mazonDynamoDBFullAccess 和AdministratorAccess策略。以下是我在此帐户中添加的信任关系

In account A, I have created role(test-db-access) for allowing others to access this account and added AmazonDynamoDBFullAccess and AdministratorAccess policies. Following is the trust relationship I have added in this account

{
  "Version": "2012-10-17",
   "Statement": [
     {
        "Effect": "Allow",
        "Principal": {
        "AWS": "arn:aws:iam::aws-account-B-number:role/sam-dev-test- 
            TestLambda-LambdaRole-1FH5IC18J0MYT"
         },
       "Action": "sts:AssumeRole"
     },
     {
       "Effect": "Allow",
       "Principal": {
           "Service": "lambda.amazonaws.com"
         },
       "Action": "sts:AssumeRole"
     }
  ]
}

以下是我添加的用于访问Dynamo数据库实例的Java代码

Following is the Java code I have added to access Dynamo DB instance

AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
            .withRoleArn("arn:aws:iam::aws-account-A-number:role/test-db-access").withRoleSessionName("cross_acct_lambda").withDurationSeconds(900);
final AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard().withRegion("eu-west-1").build();
final Credentials credentials = sts.assumeRole(assumeRequest).getCredentials();

以下是执行lambda的崩溃日志

following is the crash log coming on executing lambda

{
errorMessage：用户：arn：aws：sts :: aws-account-B-number：assumed-role / sam-dev-test-TestLambda-LambdaRole- 1FH5IC18J0MYT / sam-dev-test-TestLambda-LambdaFunction-73TVOBN6VXXX无权执行：资源上的sts：AssumeRole：arn：aws：iam :: aws-account-A-number：role / test-db-access（服务： AWSSecurityTokenService；状态代码：403；错误代码：AccessDenied；请求ID：100bd3a3-3f9c-11ea-b642-d3b4d9ff35de），
errorType： com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException
}

推荐答案

看来您的要求是：

• 从 Account-B 中的AWS Lambda函数访问 Account-A中的DynamoDB表

• From an AWS Lambda function in Account-B, access a DynamoDB table in Account-A

为了重现您的情况，我做了以下操作：

To reproduce your situation I did the following:

• 在 Account-A


• 在角色-A ） > Account-A 具有以下策略：

• Created a DynamoDB table in Account-A
• Created an IAM Role (Role-A) in Account-A with the following policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": "arn:aws:dynamodb:ap-southeast-2:<Account-A>:table/Inventory"
        }
    ]
}

此信任关系（指向下一步创建的角色）：

And this Trust Relationship (pointing to the Role created in the next step):

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<Account-B>:role/role-b"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

• 在 Role-B ） >帐户B 用于Lambda函数，使用以下政策：


• Created an IAM Role (Role-B) in Account-B for use with the Lambda function, with this policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::<Account-A>:role/role-a"
        }
    ]
}

并且具有这种信任关系：

And with this Trust Relationship:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}







• 在 Account-B中创建AWS Lambda函数将：
  
  
  
  
  • 在中假设角色-A 帐户A
  
  
  • 访问帐户A
  
  中的DynamoDB表
  • Created an AWS Lambda function in Account-B that will:
    • Assume Role-A in Account-A
    • Access the DynamoDB table in Account-A

    我是Python人，所以我的函数

    I'm a Python person, so my function is:

    import boto3
    
    def lambda_handler(event, context):
    
        # Assume Role
        sts_client = boto3.client('sts')
    
        response = sts_client.assume_role(
            RoleArn='arn:aws:iam::<Account-A>:role/stack-role-a', 
            RoleSessionName='bar')
    
        session = boto3.Session(
            aws_access_key_id=response['Credentials']['AccessKeyId'],
            aws_secret_access_key=response['Credentials']['SecretAccessKey'],
            aws_session_token=response['Credentials']['SessionToken']
        )
    
        # Update DynamoDB
        dynamodb_client = session.client('dynamodb')
    
        dynamodb_client.update_item(
            TableName='Inventory',
            Key={'Item': {'S': 'foo'}},
            UpdateExpression="ADD #count :increment",
            ExpressionAttributeNames = {
                '#count': 'count'
            },
            ExpressionAttributeValues = {
                ':increment': {'N': '1'},
            }
        ) 
    

    我通过在 Account-B 中的Lambda函数上单击 Test 进行了测试。它成功更新了 Account-A 中的DynamoDB表。

    I tested this by clicking Test on the Lambda function in Account-B. It successfully updated the DynamoDB table in Account-A.

    我怀疑有区别与您的信任策略有关，似乎有些不同。

    I suspect the difference is with your trust policies, which appear to be a little bit different.

    这篇关于如何访问在其他帐户中创建的AWS资源的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！