配置AWS角色以在组织账户之间切换 [英] Configure AWS Role to switch between Organization Accounts
问题描述
我正在尝试按照
我想做的是在主帐户上设置一组IAM用户,并允许他们登录并在两个子帐户中的任何一个之间切换,而不是强迫每个人都进行三个单独的登录.
到目前为止,这是我在 CompanyMain 帐户上所做的全部操作:
-
创建用于访问产品帐户的角色
将可信实体设置为另一个AWS账户"
将权限策略设置为
AdministratorAccess所以当我转到角色>信任关系"指的是>显示政策文件-看起来像这样:
<代码> {版本":"2012-10-17",声明":[{效果":允许",委托人":{"AWS":"arn:aws:iam :: 000000000002:root"},"Action":"sts:AssumeRole",条件":{}}]}名称为"company-prod-admin"所以ARN是这样的:
<代码> arn:aws:iam :: 000000000001:role/company-prod-admin
此链接还附带用于切换角色的链接,如下所示:
政策文件如下所示:
<代码> {版本":"2012-10-17",声明":[{效果":允许","Action":"sts:AssumeRole",资源":"arn:aws:iam :: 000000000002:root"}]} -
创建管理员组
在名为
admin的主帐户上创建一个组,并附加我们刚刚创建的策略 -
创建IAM用户
在主帐户上创建用户,并将其放入
admin组
以IAM用户身份登录
我现在可以使用IAM用户的主要帐户登录
在这里,我想通过使用角色链接或转到
但是,我收到以下信息无效的错误
组织设置问题
如何创建跨组织的角色?我对三个帐户之间的角色/权限需要在哪里起源感到有些困惑,但是理想情况下,我希望有人可以登录整个组织的一组权限.
如果您希望能够从CompanyMain访问CompanyProd,则需要以其他方式执行IAM策略,然后您需要在这样的CompanyProd:
{版本":"2012-10-17",声明":[{效果":允许",委托人":{"AWS":"arn:aws:iam :: 000000000001:root"},"Action":"sts:AssumeRole",条件":{}}]} 接下来,您登录MainCompany并转到角色切换.在帐户"中,您输入000000000002,在角色"字段中,您输入root.
I'm trying to follow the instructions in How can I allow a Group to assume a Role?, but run into the following error when I try to switch roles:
Invalid information in one or more fields. Check your information or contact your administrator.
In this scenario I have three AWS Accounts with example ids
- CompanyMain -
000000000001 - CompanyProd -
000000000002 - CompanyDev -
000000000003
Where the main account has an organization that includes the the prod and dev accounts
What I'd like to do is set up a single set of IAM users on the main account and allow them to login and switch between either of the two subaccounts, instead of forcing everyone to have three separate logins.
Here's what I've done so far all on the CompanyMain account:
Create Role for accessing Prod Account
Set trusted Entity to "Another AWS Account"
Set Permission Policy to
AdministratorAccessSo when I go to Role > "Trust Relationship" > Show Policy Document - it looks like this:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::000000000002:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }With the name "company-prod-admin" so the ARN is like this:
arn:aws:iam::000000000001:role/company-prod-adminThis also comes with the link to switch roles as follows:
https://signin.aws.amazon.com/switchrole?roleName=company-prod-admin&account=000000000001
Create a Policy to Assume this Role
Service: STS Actions: AssumeRole Role ARN:
arn:aws:iam::000000000001:role/company-prod-adminSo the Policy Document looks like this:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::000000000002:root" } ] }Create Admin Group
Create a group on the main account called
adminand attach the policy we just createdCreate IAM User
Create user on the main account and place in
admingroup
Sign in as IAM User
I can now sign in as an IAM user against the main account
From there, I'd like to switch roles by using the role link or going to https://signin.aws.amazon.com/switchrole and entering the account / role info
However, I get the error that the following info is invalid
Org Setup Question
How can I create roles that across organizations? I'm a little confused as to where the role / permission needs to originate between the three accounts, but ideally I'd like to have a way for someone to login to one set of permissions for the whole organization.
You need to do the IAM policy the other way around if you want to be able to access the CompanyProd from CompanyMain then you need to create a IAM policy in the CompanyProd like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000001:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Next you login into the MainCompany and go to switch role. in the Account, you write 000000000002, in the Role field you write root.
这篇关于配置AWS角色以在组织账户之间切换的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
