[英]Control Tower AWS - Share s3 bucket
I have recently started to use Control Tower from AWS to manage my multiple account environment.我最近开始使用 AWS 的 Control Tower 来管理我的多账户环境。
My current question is: I have a bucket belonging to the master account that I would like to share console access with some of the accounts of the organization.我目前的问题是:我有一个属于主账户的存储桶,我想与组织的一些账户共享控制台访问权限。 How can I do that?
我怎样才能做到这一点? I have tried adding a bucket policy specifying the accounts and an SSO permission set attached to that account granting access to the bucket but when accessing with that role to s3 I can't see that bucket.
我尝试添加一个存储桶策略,指定帐户和附加到该帐户的 SSO 权限集,授予对存储桶的访问权限,但是当使用该角色访问 s3 时,我看不到该存储桶。
I am able to access the bucket through CLI but not through console , though.不过,我可以通过 CLI 访问存储桶,但不能通过 console 访问。 Ie When accessing with the assigned role through CLI I am able to do
aws s3 ls s3://mybucket
and it shows the folders inside it (other commands work as well).即当通过 CLI 使用分配的角色访问时,我可以执行
aws s3 ls s3://mybucket
并显示其中的文件夹(其他命令也可以)。 But when doing aws s3 ls
the bucket is not listed.但是在执行
aws s3 ls
,未列出存储桶。
bucket policy:存储桶策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": [
"123456789101",
"112131415161",
]
},
"Action": "s3:*",
"Resource": "arn:aws:s3:::mybucket"
}
]
}
permission set:权限集:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::mybucket",
"arn:aws:s3:::mybucket/*"
]
}
]
}
Does anyone know how to allow the users to list it with the rest of the account buckets and through the console on the s3 page?有谁知道如何允许用户通过 s3 页面上的其他帐户存储桶和控制台列出它?
Thank you!!谢谢!!
Daiana戴安娜
As I understand ControlTower, you are not supposed to do anything meaningful in the root account.据我了解 ControlTower,您不应该在 root 帐户中做任何有意义的事情。
Also, there is no shared Console access unless you allow other users to "federate" into the very same account where the bucket was created.此外,除非您允许其他用户“联合”到创建存储桶的同一帐户中,否则没有共享控制台访问权限。 Using the ControlTower this is usually done via Single-Sign-On (SSO)
使用 ControlTower 这通常通过单点登录 (SSO) 完成
My suggestion is: Create a Shared Services/Resources account and allow access to those resources to any member of your organization.我的建议是:创建一个共享服务/资源帐户,并允许您组织的任何成员访问这些资源。 Do this by making use of the new
AWS:PrincipalOrgID
.通过使用新的
AWS:PrincipalOrgID
做到这一点。 For example, see this CloudFormation Snippet for a central SNS queue with sns:Publish
permission from within the AWS organization.:例如,请参阅此 CloudFormation 代码段,了解 AWS 组织内具有
sns:Publish
权限的中央 SNS 队列。:
Resources:
Topic:
Type: AWS::SNS::Topic
Properties:
DisplayName: Name
TopicName: name
TopicPolicy:
Type: AWS::SNS::TopicPolicy
Properties:
Topics:
- !Ref Topic
PolicyDocument:
Version: '2012-10-17'
Statement:
# default permission allow same account: https://www.terraform.io/docs/providers/aws/r/sns_topic_subscription.html
- Sid: __default_statement_ID
Effect: Allow
Principal:
AWS: "*"
Action:
- SNS:GetTopicAttributes
- SNS:SetTopicAttributes
- SNS:AddPermission
- SNS:RemovePermission
- SNS:DeleteTopic
- SNS:Subscribe
- SNS:ListSubscriptionsByTopic
- SNS:Publish
- SNS:Receive
Resource: !Ref Topic
Condition:
StringEquals:
AWS:SourceOwner: !Sub ${AWS::AccountId}
- Sid: SnsTopicPolicy
Effect: Allow
Principal:
AWS: "*"
Condition:
StringEquals:
# allow access from within your organization
AWS:PrincipalOrgID: "o-xxxxxxxxxx"
Action: sns:Publish
Resource: !Ref Topic
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.