Amazon web services 设置IAM用户/角色的跨帐户访问
我有一个主帐户用户,我想允许其访问子帐户S3 bucket。我已在我的子帐户中设置了以下堆栈Amazon web services 设置IAM用户/角色的跨帐户访问,amazon-web-services,amazon-s3,amazon-cloudformation,amazon-iam,Amazon Web Services,Amazon S3,Amazon Cloudformation,Amazon Iam,我有一个主帐户用户,我想允许其访问子帐户S3 bucket。我已在我的子帐户中设置了以下堆栈 AWSTemplateFormatVersion : '2010-09-09' Description: 'Skynet stack to allow admin account deploying user to access S3' Parameters: AccountId: Type: String Description: Account ID of admin acco
AWSTemplateFormatVersion : '2010-09-09'
Description: 'Skynet stack to allow admin account deploying user to access S3'
Parameters:
AccountId:
Type: String
Description: Account ID of admin account (containing user to allow)
Username:
Type: String
Description: Username to be allowed access
BucketPrefix:
Type: String
Description: Bucket to be allowed (prefix appended with -{AccountId}-{Region})
Resources:
CrossAccountRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
AWS:
- !Sub arn:aws:iam::${AccountId}:user/${Username}
Path: /
Policies:
- PolicyName: skynet-s3-delegate
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
Resource: "*"
但我发现,当我尝试担任该角色时,仍然会出现错误:
aws s3 cp skynet-lambda.zip s3://skynet-lambda-TARGET\u ACCOUNT\u ID-ap-Southast-1——配置skynetci交叉账户
调用AssumeRole操作时发生错误(AccessDenied):用户:arn:aws:iam::MAIN\u ACCOUNT\u ID:用户/circleci skynet无权在资源上执行:sts:AssumeRole:arn:aws:iam::TARGET\u ACCOUNT\u ID:role/StackSet-df0e85b0-d6fd-47bf-a0bb-CrossAccountRole-1EW45TXEFA00D
考虑到我已经为用户制定了以下策略,为什么会这样
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::TARGET_ACCOUNT_ID:role/StackSet-df0e85b0-d6fd-47bf-a0bb-CrossAccountRole-1EW45TXEFAY0D"
}
您需要更新Bucket策略以允许跨帐户访问示例策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
还要确保尝试访问的IAM用户已附加此内联策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
您可以参考您需要更新Bucket策略以允许跨帐户访问示例策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
还要确保尝试访问的IAM用户已附加此内联策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::examplebucket"
]
}
]
}
您可以参考要实现您的目标,您需要在目标S3 bucket中设置一个bucket策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MAIN_ACCOUNT_ID:USER_NAME"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*",
"arn:aws:s3:::BUCKET_NAME"
]
}
]
}
并允许此用户具有S3权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
]
}
在这种情况下,您不需要在目标帐户上担任角色。用户本身将能够访问另一个帐户中的bucket。要实现您的目标,您需要在目标S3 bucket中设置bucket策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DelegateS3Access",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::MAIN_ACCOUNT_ID:USER_NAME"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::BUCKET_NAME/*",
"arn:aws:s3:::BUCKET_NAME"
]
}
]
}
并允许此用户具有S3权限
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"*"
]
}
]
}
在这种情况下,您不需要在目标帐户上担任角色。用户本身将能够访问另一个帐户中的bucket。我附上一个工作示例,我使用我的两个帐户进行了测试 步骤1:CloudFormation YAML模板:
AWSTemplateFormatVersion : '2010-09-09'
Description: 'Skynet stack to allow admin account deploying user to access S3'
Parameters:
AccountId:
Type: String
Description: Account ID of admin account (containing user to allow)
Username:
Type: String
Description: Username to be allowed access
BucketPrefix:
Type: String
Description: Bucket to be allowed (prefix appended with -{AccountId}-{Region})
Resources:
CrossAccountRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
AWS:
- !Sub arn:aws:iam::${AccountId}:user/${Username}
Path: /
Policies:
- PolicyName: skynet-s3-delegate
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
Resource: "*"
RootInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "CrossAccountRole"
步骤2:创建跨帐户配置文件
修改~/.aws/凭证。添加名为“skynetci交叉帐户”的新配置文件。根据在步骤1中创建的参数进行修改。您将需要角色arn来替换下面的角色。您还需要您授予权限的帐户的配置文件名。在此示例中,配置文件名称为“默认”
示例如下:
[skynetci-cross-account]
role_arn = arn:aws:iam::191070ABCDEF:role/Test-CrossAccountRole-IZDDLRUMABCD
source_profile = default
步骤3:测试交叉访问
aws--profile skynetci交叉帐户s3 ls s3://bucket name我附上了一个工作示例,我使用我的两个帐户进行了测试 步骤1:CloudFormation YAML模板:
AWSTemplateFormatVersion : '2010-09-09'
Description: 'Skynet stack to allow admin account deploying user to access S3'
Parameters:
AccountId:
Type: String
Description: Account ID of admin account (containing user to allow)
Username:
Type: String
Description: Username to be allowed access
BucketPrefix:
Type: String
Description: Bucket to be allowed (prefix appended with -{AccountId}-{Region})
Resources:
CrossAccountRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
AWS:
- !Sub arn:aws:iam::${AccountId}:user/${Username}
Path: /
Policies:
- PolicyName: skynet-s3-delegate
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
Resource: "*"
RootInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "CrossAccountRole"
步骤2:创建跨帐户配置文件
修改~/.aws/凭证。添加名为“skynetci交叉帐户”的新配置文件。根据在步骤1中创建的参数进行修改。您将需要角色arn来替换下面的角色。您还需要您授予权限的帐户的配置文件名。在此示例中,配置文件名称为“默认”
示例如下:
[skynetci-cross-account]
role_arn = arn:aws:iam::191070ABCDEF:role/Test-CrossAccountRole-IZDDLRUMABCD
source_profile = default
步骤3:测试交叉访问
aws--profile skynetci交叉账户s3 ls s3://bucket name那么与原始版本的区别在于
InstanceProfile
部分?我查了一下,它应该用于EC2实例?不使用EC2是否正确?实例配置文件实际上是什么?听起来只是个角色?它与S3 bucket方法相比如何?是的,这是正确的。我在我的桌面上测试。S3 bucket方法只是实现相同目标的另一种方法。注意:我使用了您的cloudformation模板,然后对其进行了更正,因为这正是您的问题所要求的。感谢您使用此替代方法。似乎我问的大多数ppl都使用S3桶策略路线。我想我应该用它来代替。不知何故,这更直观一些。就像在本例中一样,我不太明白实例配置文件的作用,因为与原始配置文件不同的是InstanceProfile
部分?我查了一下,它应该用于EC2实例?不使用EC2是否正确?实例配置文件实际上是什么?听起来只是个角色?它与S3 bucket方法相比如何?是的,这是正确的。我在我的桌面上测试。S3 bucket方法只是实现相同目标的另一种方法。注意:我使用了您的cloudformation模板,然后对其进行了更正,因为这正是您的问题所要求的。感谢您使用此替代方法。似乎我问的大多数ppl都使用S3桶策略路线。我想我应该用它来代替。不知何故,这更直观一些。就像在本例中一样,我并不真正理解实例概要文件的作用