具有角色的S3跨帐户访问 [英] S3 Cross Account Access With Role

问题描述

我需要创建一个跨帐户角色，以从我拥有的另一个AWS帐户访问S3存储桶的资源.

I need to create a cross account role to access the resources of S3 bucket from another aws account that I owns.

请帮助我使用交叉帐户IAM角色来实现此功能，而不使用Access或秘密密钥.

Please help me to implement this using the cross account IAM role without using Access or secret keys.

推荐答案

假设您拥有:

• 帐户A中的角色A
• 与角色A相关联的帐户A中的实例A
• 帐户B中的桶B

您希望允许实例A上的应用程序访问存储桶B的内容.

You wish to allow an application on Instance A to access the content of Bucket B.

请求您可以使用的信息策略变量文档的表格显示了aws:userid的各种值，包括:

The Request Information That You Can Use for Policy Variables documentation has a table showing various values of aws:userid including:

对于分配给Amazon EC2实例的角色，该角色设置为role-id:ec2-instance-id

因此，您可以使用与Amazon EC2实例相关联的角色的角色ID 来允许访问，或者使用实例ID .

Therefore, you could use the Role ID of the role associated with the Amazon EC2 instance to permit access OR the Instance ID.

例如，此存储桶策略基于角色ID :

For example, this bucket policy is based on a Role ID:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SID123",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::MYBUCKET",
                "arn:aws:s3:::MYBUCKET/*"
            ],
            "Principal": "*",
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "AROAIIPEUJOUGITIU5BB6*"
                    ]
                }
            }
        }
    ]
}

要获取角色ID，请使用:

To obtain the Role ID, use:

aws iam get-role --role-name ROLENAME

此存储桶策略基于实例ID :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SID123",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::MYBUCKET",
                "arn:aws:s3:::MYBUCKET/*"
            ],
            "Principal": "*",
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "*:i-03c9a5f3fae4b630a"
                    ]
                }
            }
        }
    ]
}

实例ID将随实例一起保留，但是如果启动了一个新实例，即使来自同一Amazon Machine Image(AMI)，也会分配一个新实例.

The Instance ID will remain with the instance, but a new one will be assigned if a new instance is launched, even from the same Amazon Machine Image (AMI).

当然，您可能希望将这些权限限制为s3:GetObject而不是s3:*.

Of course, you'd probably want to restrict those permissions to just s3:GetObject rather than s3:*.

(此答案基于根据角色名称授予对S3资源的访问权限.)

这篇关于具有角色的S3跨帐户访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！