堆栈内存溢出
  简体   繁体   English

CloudFormation、S3 存储桶访问跨账户 IAM 角色

[英]CloudFormation, S3 bucket access to cross-acccount IAM role

 原文  2020-03-12 21:34:40       amazon-web-services/ amazon-cloudformation

问题描述

I have 2 accounts, s3_buck_acct and iam_acct .我有 2 个帐户, s3_buck_acctiam_acct I want to provision IAM role from iam_acct to certain actions on the S3 bucket from s3_buck_acct .我想从提供IAM角色iam_acct对从S3斗某些行动s3_buck_acct

Here is the CloudFormation template I came up with that ends up with error:这是我想出的 CloudFormation 模板,但最终出现错误:

Resources:
  S3BucketTest:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: "cross-acct-permission-demo"
      LifecycleConfiguration:
        Rules:
        - Id: LifecycleExpRule 
          ExpirationInDays: '3650'
          Status: Enabled
      BucketEncryption: 
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  S3CURBucketPolicy: 
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket: 
        !Ref S3BucketTest
      PolicyDocument: 
        Statement: 
          - Action:
                - 's3:ListBucket'
                - 's3:ListBucketMultipartUploads'
                - 's3:PutObject'
                - 's3:GetObject'
            Effect: "Allow"
            Resource: 
              - "arn:aws:s3:::cross-acct-perm-demo"
              - "arn:aws:s3:::cross-acct-perm-demo/*"
            Principal: "arn:aws:iam::1234567890:role/service-role/test-role-20190828T130835"
          - Action: "*"
            Resource: !Join [ '', ["arn:aws:s3:::", !Ref S3BucketTest, '/*']]
            Principal: '*'
            Effect: Deny
            Condition:
              Bool:
                'aws:SecureTransport':
                  - 'false'

Error message:错误信息:

Invalid policy syntax.策略语法无效。 (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: 91BF8921047D9D3B; S3 Extended Request ID: ZOVOzmFZYN6yB1btOqMqgJjOpzfiUpP86c2XiVylzYkg37fGga8/eYDL7C4WzwhmcDGU7NJkL68=) (服务:Amazon S3;状态代码:400;错误代码:MalformedPolicy;请求 ID:91BF8921047D9D3B;S3 扩展请求 ID:ZOVOzmFZYN6yB1btOqMqgJjOpzfiUpP86c2XiVylzYkg37fZYN6ykg37fZYN6yg37fZYN6cDgwz7dgwdg8e

Not sure where I got this wrong.不知道我哪里出错了。 Can I provision S3 bucket access to cross-account IAM?我可以为跨账户 IAM 配置 S3 存储桶访问权限吗? From the console permissions section, I was able to do it.从控制台权限部分,我能够做到。

2 个解决方案

解决方案1
 2  2020-03-12 22:38:13

Your bucket is called cross-acct-permission-demo but your policy specifies cross-acct-perm-demo .您的存储桶名为cross-acct-permission-demo但您的策略指定了cross-acct-perm-demo Also your indentation is not correct for the first Action (though it should not cause this issue).此外,您的第一个Action缩进不正确(尽管它不应该导致此问题)。 Also not sure if the service-role principle is correct in this context.也不确定service-role原则在这种情况下是否正确。

解决方案2
 1  2020-03-12 22:01:23

If you want IAM users in account A to be able to access resources in account B then you create an IAM role in account B that gives access to the relevant resources in account B, then you define account A as a trusted entity for the IAM role, then you permit access to that role to the relevant users in account A. Those users in account A can now assume the (cross-account) role in account B, and gain access to resources in account B.如果您希望账户 A 中的 IAM 用户能够访问账户 B 中的资源,则您在账户 B 中创建一个 IAM 角色以提供对账户 B 中相关资源的访问权限,然后您将账户 A 定义为 IAM 角色的可信实体,然后您允许账户 A 中的相关用户访问该角色。账户 A 中的这些用户现在可以承担账户 B 中的(跨账户)角色,并获得对账户 B 中资源的访问权限。

See Tutorial: Delegate Access Across AWS Accounts Using IAM Roles请参阅教程:使用 IAM 角色委派跨 AWS 账户的访问权限

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 使用 CloudFormation 为身份池定义 IAM 角色以访问 s3 存储桶 - Defining IAM Roles for Identity Pool with CloudFormation to access s3 bucket 跨账户访问特定 AWS 账户中的 S3 存储桶的 IAM 角色策略 - IAM Role policy for cross account access to S3 bucket in a specific AWS account 我可以使用现有的AWS IAM角色通过Cloudformation模板创建S3存储桶吗? - Can I use existing AWS IAM role to create S3 bucket via Cloudformation template? S3存储桶策略和IAM角色冲突 - S3 Bucket Policy and IAM Role Conflicting 仅可访问特定S3存储桶的IAM组的AWS CloudFormation模板 - AWS CloudFormation Template for an IAM Group That May Only Access a Specific S3 Bucket 如何限制对特定IAM角色的S3 Bucket的访问? - How do I limit access to S3 Bucket for particular IAM Role? 创建一个 IAM 角色,使 Redshift 能够访问 S3 存储桶(只读) - Create an IAM Role that makes Redshift able to access S3 bucket (ReadOnly) CloudFormation Lambda S3存储桶访问被拒绝 - CloudFormation Lambda S3 bucket access denied 使用cloudformation更新S3存储桶的IAM策略 - Update IAM policy for S3 bucket using cloudformation 如何将S3存储桶锁定到特定用户和IAM角色 - How to lockdown S3 bucket to specific users and IAM role(s)
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM