[英]EC2 instance with a cross account IAM role
I've created a cross account IAM role in one of my accounts(say account A) and would like to attach that role to an ec2 instance in another account(account B).我在我的一个账户(比如账户 A)中创建了一个跨账户 IAM 角色,并希望将该角色附加到另一个账户(账户 B)中的 ec2 实例。
I tried creating a new role in account B with sts:AssumeRole pointing to the role in A and attached it to an ec2 instance in B. Doesn't seem to be working.我尝试在帐户 B 中创建一个新角色,其中 sts:AssumeRole 指向 A 中的角色并将其附加到 B 中的 ec2 实例。似乎不起作用。
How can the ec2 instance assume the cross account role in A? ec2 实例如何承担 A 中的跨账户角色?
You cannot attach a cross-account IAM role to an EC2 instance directly.您不能直接将跨账户 IAM 角色附加到 EC2 实例。 And having the sts:AssumeRole
permissions does not automatically make the one role assume into the other.并且拥有sts:AssumeRole
权限不会自动让一个角色代入另一个角色。
Instead:反而:
sts:AssumeRole
.为账户 B 中的 EC2 实例创建一个 IAM 角色。授予该角色执行sts:AssumeRole
权限。Then, when you want to access the AWS API from your EC2 instance:然后,当您想从 EC2 实例访问 AWS API 时:
sts:AssumeRole
to assume the cross-account role for Account A, to obtain temporary credentials.执行sts:AssumeRole
为账户 A 代入跨账户角色,获取临时凭证。Supposing the scenario with two accounts A & B the explanatory steps should be:假设有两个账户 A 和 B 的场景,解释步骤应该是:
RoleForB
) to trust account B , and attach to the before created role a IAM policy to allow it to perform some read operations in account A .在账户 A 中,我创建了一个角色(例如RoleForB
)来信任账户 B ,并将IAM 策略附加到之前创建的角色以允许它在账户 A 中执行一些读取操作。 eg ReadOnlyAccess
AssumeRoleInA
) and attach a policy to allow it to assume the role that is created in account A .在账户 B 中,我创建了一个角色(例如AssumeRoleInA
)并附加了一个策略以允许它承担在账户 A 中创建的角色。ec2-profile
the IAM role ( AssumeRoleInA
) created in step 2.在账户 B 中,将在步骤 2 中创建的 IAM 角色 ( AssumeRoleInA
) 关联到您的 EC2 实例ec2-profile
。aws sts assume-role --role-arn "arn:aws:iam::Account_A_ID:role/RoleForB" --role-session-name "EC2FromB"
.在B账户登录到这个EC2实例使用命令来承担帐户A的作用aws sts assume-role --role-arn "arn:aws:iam::Account_A_ID:role/RoleForB" --role-session-name "EC2FromB"
。stdout
either manually or by using a script.在账户 B EC2 终端中,当命令完成第 4 步后,您可以看到访问密钥 ID、秘密访问密钥和会话令牌,无论您从何处路由它,在我们的示例中,手动或使用脚本的stdout
。 You can then assign these values to environment variables ( AWS_ACCESS_KEY_ID
, AWS_SECRET_ACCESS_KEY
, AWS_SESSION_TOKEN
)然后,您可以将这些值分配给环境变量( AWS_ACCESS_KEY_ID
、 AWS_SECRET_ACCESS_KEY
、 AWS_SESSION_TOKEN
)So Let's check the configurations mentioned above step by step but with some mode detail:所以让我们一步一步检查上面提到的配置,但有一些模式细节:
RoleForB
and attaching ReadOnlyAccess
permission to it.与之前在账户 A 中展示的一样,它通过创建名为RoleForB
的角色RoleForB
其附加ReadOnlyAccess
权限来建立对账户 B的信任。{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::Account_B_ID:root"},
"Action": "sts:AssumeRole"
}
}
AssumeRoleInA
then attach the corresponding policy
to allow it to assume the role named RoleForB
in account A .在账户 B 中,创建一个名为AssumeRoleInA
的角色,然后附加相应的policy
以允许它在账户 A 中担任名为RoleForB
的角色。{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::Account_A_ID:role/RoleForB"
]
}
]
}
AssumeRoleInA
.在账户 B 中,创建一个新的EC2 实例(如果尚不存在),并将其ec2-profile与名为AssumeRoleInA
的IAM 角色相关AssumeRoleInA
。{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {"Service": "ec2.amazonaws.com"},
"Action": "sts:AssumeRole"
}
}
aws sts assume-role --role-arn "arn:aws:iam::Account_A_ID:role/RoleForB" --role-session-name "EC2FromB"`
eg:例如:
jenkins@bb-jenkins-vault:~$ aws sts assume-role --role-arn arn:aws:iam::521111111144:role/DeployMaster --role-session-name "project-dev-jenkins-deploy"
{
"AssumedRoleUser": {
"AssumedRoleId": "AROAJBXGEHOQBXGEHOQ:project-dev-jenkins-deploy",
"Arn": "arn:aws:sts::521111111144:assumed-role/DeployMaster/project-dev-jenkins-deploy"
},
"Credentials": {
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"SessionToken": "FQoGZXIvYXCUm8iG6/zLdQ7foognvCDpxKP7cRJiZgc...CUm8iG6/zLdQ7foognvCDpxKP7c+OQF",
"Expiration": "2019-03-29T15:41:02Z",
"AccessKeyId": "AKIAI44QH8DHBEXAMPLE"
}
}
stdout
either manually or by using a script.在账户 B EC2 终端中,当命令完成第 4 步后,您可以看到访问密钥 ID、秘密访问密钥和会话令牌,无论您从何处路由它,在我们的示例中,手动或使用脚本的stdout
。 You can then assign these values to environment variables然后您可以将这些值分配给环境变量$ export AWS_ACCESS_KEY_ID=AKIAI44QH8DHBEXAMPLE
$ export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
$ export AWS_SESSION_TOKEN=FQoGZXIvYXCUm8iG6/zLdQ...<remainder of security token>
$ aws ec2 describe-instances --region us-east-1
complementary reading: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html补充阅读: https : //docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-resources.html
You can also export as below for step 5 above :您还可以按以下步骤导出上述第 5 步:
TEMP_ACCESS_ACCOUNT=$(aws sts assume-role --role-arn arn:aws:iam::Account_A_ID:role/RoleForB --role-session-name example)
export AWS_ACCESS_KEY_ID=$(echo ${TEMP_ACCESS_ACCOUNT} | jq -r '.["Credentials"]["AccessKeyId"]')
export AWS_SECRET_ACCESS_KEY=$(echo ${TEMP_ACCESS_ACCOUNT} | jq -r '.["Credentials"]["SecretAccessKey"]')
export AWS_SESSION_TOKEN=$(echo ${TEMP_ACCESS_ACCOUNT} | jq -r '.["Credentials"]["SessionToken"]')
According to the latest docs , you can create a named role profile in ~/.aws/config
, on your EC2 instance in ACCOUNT B, as follows根据最新的文档,您可以在~/.aws/config
创建一个命名角色配置文件,在 ACCOUNT B 中的 EC2 实例上,如下所示
[profile marketingadmin]
role_arn = arn:aws:iam::ACCOUNT_A:role/marketingadminrole
credential_source = Ec2InstanceMetadata
The following might be useful for similar scenarios以下内容可能对类似场景有用
The credential_source attribute supports the following values: credential_source 属性支持以下值:
Environment – Retrieves the source credentials from environment variables.环境 – 从环境变量中检索源凭据。
Ec2InstanceMetadata – Uses the IAM role attached to the Amazon EC2 > instance profile. Ec2InstanceMetadata – 使用附加到 Amazon EC2 > 实例配置文件的 IAM 角色。
EcsContainer – Uses the IAM role attached to the Amazon ECS container. EcsContainer – 使用附加到 Amazon ECS 容器的 IAM 角色。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.