跨多个AWS账户的一个IAM角色 [英] One IAM Role across multiple AWS accounts

问题描述

出于安全原因，我们有一个pre-prod和一个prod AWS帐户.我们现在开始使用IAM角色通过django-storage/boto对S3访问js/css文件.

虽然这在每个帐户上都可以正常工作，但是现在，对于QA实例需要访问生产帐户上的一个S3存储桶的需求有所增加.

是否有一种方法可以让一个IAM角色授予对pre-prod和prod S3存储桶的访问权限?在我写作时，这似乎是不可能的，但从来没有人问过！

解决方案

以下是AWS文档:

这对于只读访问非常有效，但是写访问可能会出现问题.首先，写对象的帐户仍将是该对象的所有者.处理写入"权限时，通常需要确保拥有存储桶的帐户仍具有访问其他帐户写入的对象的能力，这要求使用特定的标头写入对象:x-amz-grant-full-control

您可以设置存储桶策略，以使存储桶不接受不提供此标头的跨帐户对象.在页面底部有一个示例: http ://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html (在在确保存储桶拥有者完全控制权限的同时，授予跨帐户权限上载对象")

这在存储桶策略中使用了条件Deny子句，如下所示: { "Sid":"112", "Effect":"Deny", "Principal":{"AWS":"1111111111" }, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::examplebucket/*", "Condition": { "StringNotEquals": {"s3:x-amz-grant-full-control":["emailAddress=xyz@amazon.com"]} } }

我通常自己避免跨帐户对象写操作……它们很容易设置.

For security reasons, we have a pre-prod and a prod AWS account. We're now beginning to use IAM Roles for S3 access to js/css files through django-storage / boto.

While this is working correctly on a per account basis, now a need has risen where the QA instance needs to access one S3 bucket on a the prod account.

Is there a way to have one IAM role that can grant access to the pre-prod And prod S3 buckets? As I'm writing it seems impossible, but it never hearts to ask!

解决方案

Here's the AWS doc on this: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-walkthroughs-managing-access-example2.html

Essentially, you have to delegate permissions to one account from the other account using the Principal block of your Bucket's IAM policy, and then set up your IAM user in the second account as normal.

Example bucket policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "Example permissions", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::<Account-ID>:root" }, "Action": [ "s3:GetBucketLocation", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::<bucket-name>" ] } ] }

This works well for read-only access, but there can be issues with write access. Primarily, the account writing the object will still be the owner of that object. When dealing with Write permissions, you'll usually want to make sure the account owning the bucket still has the ability to access objects written by the other account, which requires the object to be written with a particular header: x-amz-grant-full-control

You can set up your bucket policy so that the bucket will not accept cross-account objects that do not supply this header. There's an example of that at the bottom of this page: http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html (under "Granting Cross-Account Permissions to Upload Objects While Ensuring the Bucket Owner Has Full Control")

This makes use of a conditional Deny clause in the bucket policy, like so: { "Sid":"112", "Effect":"Deny", "Principal":{"AWS":"1111111111" }, "Action":"s3:PutObject", "Resource":"arn:aws:s3:::examplebucket/*", "Condition": { "StringNotEquals": {"s3:x-amz-grant-full-control":["emailAddress=xyz@amazon.com"]} } }

I generally avoid cross-account object writes, myself...they are quite fiddly to set up.

这篇关于跨多个AWS账户的一个IAM角色的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！