具有角色的S3跨帐户访问 [英] S3 Cross Account Access With Role
问题描述
我需要创建一个跨帐户角色,以从我拥有的另一个AWS帐户访问S3存储桶的资源.
I need to create a cross account role to access the resources of S3 bucket from another aws account that I owns.
请帮助我使用交叉帐户IAM角色来实现此功能,而不使用Access或秘密密钥.
Please help me to implement this using the cross account IAM role without using Access or secret keys.
推荐答案
假设您拥有:
- 帐户A中的角色A
- 与角色A相关联的帐户A中的实例A
- 帐户B中的桶B
您希望允许实例A上的应用程序访问存储桶B的内容.
You wish to allow an application on Instance A to access the content of Bucket B.
请求您可以使用的信息策略变量文档的表格显示了aws:userid
的各种值,包括:
The Request Information That You Can Use for Policy Variables documentation has a table showing various values of aws:userid
including:
对于分配给Amazon EC2实例的角色,该角色设置为
role-id:ec2-instance-id
因此,您可以使用与Amazon EC2实例相关联的角色的角色ID 来允许访问,或者使用实例ID .
Therefore, you could use the Role ID of the role associated with the Amazon EC2 instance to permit access OR the Instance ID.
例如,此存储桶策略基于角色ID :
For example, this bucket policy is based on a Role ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::MYBUCKET",
"arn:aws:s3:::MYBUCKET/*"
],
"Principal": "*",
"Condition": {
"StringLike": {
"aws:userid": [
"AROAIIPEUJOUGITIU5BB6*"
]
}
}
}
]
}
要获取角色ID,请使用:
To obtain the Role ID, use:
aws iam get-role --role-name ROLENAME
此存储桶策略基于实例ID :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::MYBUCKET",
"arn:aws:s3:::MYBUCKET/*"
],
"Principal": "*",
"Condition": {
"StringLike": {
"aws:userid": [
"*:i-03c9a5f3fae4b630a"
]
}
}
}
]
}
实例ID将随实例一起保留,但是如果启动了一个新实例,即使来自同一Amazon Machine Image(AMI),也会分配一个新实例.
The Instance ID will remain with the instance, but a new one will be assigned if a new instance is launched, even from the same Amazon Machine Image (AMI).
当然,您可能希望将这些权限限制为s3:GetObject
而不是s3:*
.
Of course, you'd probably want to restrict those permissions to just s3:GetObject
rather than s3:*
.
(此答案基于根据角色名称授予对S3资源的访问权限.)
这篇关于具有角色的S3跨帐户访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!