启用AWS IAM用户共享桶/对象的访问 [英] Enabling AWS IAM Users access to shared bucket/objects
问题描述
是否有可能采用新的亚马逊AIM API在不同的账户,露出亚马逊S3帐户桶(由ACL setings共享)的用户设置?
Is it possible to expose Amazon S3 account bucket (shared by ACL setings) to the users setup using new Amazon AIM API under different account?
我能够创建工作IAM策略时涉及到用户和对象属于一个帐户。但是,因为它似乎这不再工作时涉及两个不同的账户 - 尽管账户2能够直接访问帐户1的桶。
I'm able to create working IAM policy when related to the users and objects belonging to a single account. But as it seems this no longer works when two different accounts are involved - despite account 2 being able to access account 1's bucket directly.
样的政策是:
{
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::test1234.doom",
"arn:aws:s3:::test.doom"
],
"Condition": {}
}
]
}
在这种情况下,AIM用户可以列出test.doom桶(由同一个AWS账户拥有),而不是test1234.doom'斗(由不同的AWS账户拥有)。尽管这是具有正确的ACL权限一个帐户来访问其它桶。
In this case AIM user is able to list test.doom bucket (owned by the same AWS account) and not 'test1234.doom' bucket (owned by the different AWS account). This is despite one account having correct ACL permissions to access the other bucket.
推荐答案
它看起来像这样无法做到的。
It looks like this can't be done.
<一个href="http://aws.amazon.com/iam/faqs/#Will_users_be_able_to_access_data_controlled_by_AWS_Accounts_other_than_the_account_under_which_they_are_defined" rel="nofollow">http://aws.amazon.com/iam/faqs/#Will_users_be_able_to_access_data_controlled_by_AWS_Accounts_other_than_the_account_under_which_they_are_defined
虽然它看起来像在未来,他们可能会被允许在另一帐户下创建的数据。
Although it looks like in the future they might be allowed to create data under another account.
<一个href="http://aws.amazon.com/iam/faqs/#Will_users_be_able_to_create_data_under_AWS_Accounts_other_than_the_account_under_which_they_are_defined" rel="nofollow">http://aws.amazon.com/iam/faqs/#Will_users_be_able_to_create_data_under_AWS_Accounts_other_than_the_account_under_which_they_are_defined
这篇关于启用AWS IAM用户共享桶/对象的访问的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
