允许从 Amazon EC2 实例跨账户访问 Amazon S3 存储桶
[英]Allow cross-account access from an Amazon EC2 instance to an Amazon S3 bucket
问题描述
I have S3 bucket "cross-bucket" in Account say B.Now i want EC2 which is present in Account A to access this bucket "cross-bucket" in Account B.
我在账户 B 中有 S3 存储桶“跨存储桶”。现在我希望账户 A 中的 EC2 访问账户 B 中的这个存储桶“跨存储桶”。
I need to achieve this using IAM roles as we are not allowed to create users.我需要使用 IAM 角色来实现这一点,因为我们不允许创建用户。
I have used below template to create role in Account B我已使用以下模板在帐户 B 中创建角色
AWSTemplateFormatVersion : '2010-09-09'
Description: 'Cross account role for S3'
Parameters:
AccountId:
Type: String
Description: Account ID of admin account (containing user to allow)
Resources:
CrossAccountRole:
Type: AWS::IAM::Role
Properties:
AssumeRolePolicyDocument:
Statement:
- Effect: Allow
Action: sts:AssumeRole
Principal:
AWS:
- !Sub arn:aws:iam::${AccountId}:root
Path: /
Policies:
- PolicyName: my-s3-delegate
PolicyDocument:
Statement:
- Effect: Allow
Action:
- s3:ListBucket
- s3:GetObject
Resource: "*"
RootInstanceProfile:
Type: "AWS::IAM::InstanceProfile"
Properties:
Path: "/"
Roles:
-
Ref: "CrossAccountRole"
After creating this role how should i attach this to instance present in Account A?创建此角色后,我应该如何将其附加到帐户 A 中的实例? Or i am missing something here?或者我在这里遗漏了什么?
2 个解决方案
解决方案1
2 2020-07-13 10:35:55
After creating this role how should i attach this to instance present in Account A?
You are not attaching it to an instance in Acc A. Instead, you create an instance role in Acc A. The role will have permissions to assume the role from Acc B.您没有将其附加到 Acc A 中的实例。相反,您在 Acc A 中创建了一个实例角色。该角色将有权从 Acc B 中担任该角色。
Thus, the instance role would have a policy similar to the following one:因此,实例角色将具有类似于以下的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "<ARN-of-ROLE-in-ACC-B>"
}
}
]
}
Then any application running on the instance would have to use sts assume-role to actually assume the role and perform actions in Acc B.然后在实例上运行的任何应用程序都必须使用sts assume-role来实际承担角色并在 Acc B 中执行操作。
解决方案2
2 已采纳 2020-07-13 11:36:43
Your situation is:你的情况是:
- Amazon EC2 instance in Account-A账户 A 中的 Amazon EC2 实例
- Amazon S3 bucket in Account-B账户 B 中的 Amazon S3 存储桶
- You would like to allow the EC2 instance to access the bucket您希望允许 EC2 实例访问存储桶
There are two ways to do this:有两种方法可以做到这一点:
Option 1: Bucket Policy选项 1:存储桶策略
Simply add a bucket policy to the bucket in Account-B that grants access to the IAM Role used by the EC2 instance:只需将存储桶策略添加到 Account-B 中的存储桶,以授予对 EC2 实例使用的 IAM 角色的访问权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
],
"Principal": {
"AWS": [
"arn:aws:iam::ACCOUNT-A:role/my-ec2-role"
]
}
}
]
}
The EC2 instance will use its normal IAM Role credentials to access the bucket. EC2 实例将使用其正常的 IAM 角色凭证来访问存储桶。 Also make sure the IAM Role has given permission to use Amazon S3 to access the bucket:还要确保 IAM 角色已授予使用 Amazon S3 访问存储桶的权限:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::bucket-b",
"arn:aws:s3:::bucket-b/*"
]
}
]
}
Option 2: Assume Role选项 2:担任角色
- Create an IAM Role in Account-B that has permission to access the bucket在 Account-B 中创建有权访问存储桶的 IAM 角色
- Code on the EC2 instance calls
AssumeRole()on the IAM RoleEC2 实例上的代码调用 IAM 角色上的AssumeRole() - Use the returned credentials to access the bucket使用返回的凭证访问存储桶
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.