通过角色连接到 2 个不同 AWS 账户的资源
[英]Connect to resources of 2 different AWS accounts via roles
问题描述
Consider 2 AWS accounts A ( Other team ) and B ( Mine ) For my use case, I have to poll to queues in A's AWS account for payload and perform database operations in B. To do this, I have a role created in B having access to my databases + A's account ID as trusted relationship.
考虑 2 个 AWS 账户 A(其他团队)和 B(我的)对于我的用例,我必须轮询 A 的 AWS 账户中的队列以获取有效负载并在 B 中执行数据库操作。为此,我在 B 中创建了一个角色,具有访问我的数据库 + A 的帐户 ID 作为信任关系。 Likewise A has created a role for granting access to queue in A + added B as trusted relationship.同样,A 创建了一个角色,用于授予对 A 中队列的访问权限 + 添加 B 作为受信任关系。
Code for doing all the polling + database action will reside on EC2 in my account ( B ).执行所有轮询 + 数据库操作的代码将驻留在我帐户 ( B ) 中的 EC2 上。 Now how do I consume payloads and perform operations from a role's perspective.现在我如何从角色的角度使用有效负载并执行操作。 Is my understanding correct?我的理解正确吗?
- Assume role A承担角色A
- Poll to provisioning queue, get the JSON payload from SQS轮询到配置队列,从 SQS 获取 JSON 负载
- Assume role B承担角色 B
- Perform database operations in Oracle RDS在 Oracle RDS 中执行数据库操作
- Assume role A承担角色A
- Return back the response to response SQS返回对响应 SQS 的响应
- Start polling again on provisioning queue SQS在配置队列 SQS 上再次开始轮询
FYI : I am performing the above operations using Python + Boto3仅供参考:我正在使用 Python + Boto3 执行上述操作
3 个解决方案
解决方案1
0 2020-03-24 14:22:31
You don't say which programming language or SDK you are using, but essentially you can create two client/service objects, one leveraging credentials from role A and the other from role B. Then simply make API calls using the appropriate client/service object.您没有说明您使用的是哪种编程语言或 SDK,但基本上您可以创建两个客户端/服务对象,一个利用来自角色 A 的凭据,另一个利用来自角色 B 的凭据。然后只需使用适当的客户端/服务对象进行 API 调用.
Using boto3, for example:使用 boto3,例如:
sqs_accounta = boto3.client(
'sqs',
region_name='us-east-1',
aws_access_key_id=xxx,
aws_secret_access_key=yyy,
aws_session_token=zzz
)
rds_accountb = boto3.client(
'rds',
region_name='us-west-2',
aws_access_key_id=aaa,
aws_secret_access_key=bbb,
aws_session_token=ccc
)
解决方案2
0 2020-03-24 14:53:00
Instead of assuming roles, you can grant Cross-Account access to the queues in Account A to the user/role in Account B.您可以向账户 B 中的用户/角色授予对账户 A 中队列的跨账户访问权限,而不是承担角色。
In your case, grant it to EC2 instance role and then you'll be able to do all the required operations from within the instance without any "Assume role" tricks.在您的情况下,将其授予 EC2 实例角色,然后您将能够从实例内执行所有必需的操作,而无需任何“承担角色”技巧。
解决方案3
0 2020-03-26 06:28:35
Pretend for a moment that everything was happening in your own account (Account-B).假装一切都发生在您自己的帐户(帐户-B)中。
You would give a set of credentials to your code (either an IAM User or, if the code is running on an Amazon EC2 instance, you would assign an IAM Role to the instance) that it can use to access the necessary resources in Account B. So, no problem there.您将为您的代码提供一组凭证(IAM 用户,或者,如果代码在 Amazon EC2 实例上运行,您将为该实例分配一个 IAM 角色),它可用于访问账户 B 中的必要资源. 所以,没有问题。
The only additional requirement is that you wish to access Amazon SQS in Account-A.唯一的附加要求是您希望在账户 A 中访问 Amazon SQS。 It so happens that you can add permissions directly to an Amazon SQS queue that grants cross-account access.碰巧的是,您可以直接向授予跨账户访问权限的 Amazon SQS 队列添加权限。
See: Basic Examples of IAM Policies for Amazon SQS - Amazon Simple Queue Service请参阅: Amazon SQS 的 IAM 策略的基本示例 - Amazon Simple Queue Service
So, you do not actually need to assume any roles .因此,您实际上不需要承担任何角色。 Just use the normal credentials that are assigned to your code, and add permissions to the SQS queue to allow that particular IAM User or IAM Role to use the queue.只需使用分配给您的代码的普通凭证,并向 SQS 队列添加权限以允许该特定 IAM 用户或 IAM 角色使用该队列。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.