具有IAM角色的AWS跨帐户DynamoDB访问权限 [英] aws cross account dynamodb access with IAM role
本文介绍了具有IAM角色的AWS跨帐户DynamoDB访问权限的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!
问题描述
这是一个.Net项目,我的appsettings.Staging.json是这样的。
{
"aws": {
"region": "ap-southeast-1"
},
"DynamoDbTables": {
"BenefitCategory": "stag_table1",
"Benefit": "stag_table2"
},
"Logging": {
"LogLevel": {
"Default": "Debug",
"System": "Information",
"Microsoft": "Information"
}
}
}
这是我附加到"ecsInstanceRole"的内联策略
"xxxxxxxxxxxxx">这是DynamoDB表所在的AWS帐户。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"dynamodb:PutItem",
"dynamodb:DescribeTable",
"dynamodb:DeleteItem",
"dynamodb:GetItem",
"dynamodb:Scan",
"dynamodb:Query",
"dynamodb:UpdateItem",
"dynamodb:DeleteTable",
"dynamodb:UpdateTable",
"dynamodb:GetRecords"
],
"Resource": [
"arn:aws:dynamodb:ap-southeast-1:xxxxxxxxxxx:table/stag_table1",
"arn:aws:dynamodb:ap-southeast-1:xxxxxxxxxxx:table/stag_table2",
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"dynamodb:ListGlobalTables",
"dynamodb:ListTables"
],
"Resource": "*"
}
]
}
在此设置中,API尝试连接到同一帐户中的表。我已经在受信任实体中添加了另一个AWS帐户,角色ecsInstanceRole仍然不起作用。
AWS SDK或AWS ECS/EC2实例是否可以自动在其他AWS帐户中查找DynamoDB表?
推荐答案
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html
这两个帐户都需要EC2的角色策略,以及允许EC2服务承担这些角色的信任策略。目标帐户中的角色策略将授予对DynamoDB表的IAM权限。 然后,源EC2实例将必须承担该角色才能访问该表。授予EC2服务器访问权限以承担角色
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "abcdTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"AWS": "arn:aws:iam::SOURCE_ACCOUNT_ID:role/NAME_A"}
}
]
}
允许NAME_A实例配置文件角色切换到其他帐户中的角色
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowToAssumeCrossAccountRole",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::DESTINATION_ACCOUNT_ID:role/ACCESS_DYNAMODB"
}
]
}
授予对名为Access_DynamoDB的DynamoDB的访问权限的角色
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDDBActions",
"Effect": "Allow",
"Action": [
"dynamodb:*"
],
"Resource": "*"
}
]
}
目标中的信任策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DestinationTrustPolicy",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {"Service": "ec2.amazonaws.com"}
}
]
}
这篇关于具有IAM角色的AWS跨帐户DynamoDB访问权限的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
查看全文