[英]AWS S3 bucket - Allow download files to every IAM and Users from specific AWS Account
Look for a policy for S3 bucket that will allow all IAM roles and users from different account, to be able to download files from the bucket that is located in my AWS account.为 S3 存储桶寻找一个策略,该策略将允许来自不同账户的所有 IAM 角色和用户,以便能够从位于我的 AWS 账户中的存储桶下载文件。
Thanks for help感谢帮助
You can apply object level permissions to another account via a bucket policy.您可以通过存储桶策略将 object 级别的权限应用到另一个账户。
By using the principal of the root of the account, every IAM entity in that account is able to interact with the bucket using the permissions in your bucket policy.通过使用账户根的委托人,该账户中的每个 IAM 实体都可以使用您的存储桶策略中的权限与存储桶交互。
An example bucket policy using the root of the account is below.下面是使用帐户根的存储桶策略示例。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountB-ID:root"
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::awsexamplebucket1"
]
}
]
}
More information is available in the Bucket owner granting cross-account bucket permissions documentation 桶拥有者授予跨账户桶权限文档中提供了更多信息
Fo that, you would need to provide a cross-account access to the objects in your buckets
by giving the IAM role or user in the second Account permission to download ( GET Object
) objects from the needed bucket.为此,您需要通过授予第二个账户中的 IAM 角色或用户从所需存储桶下载 (
GET Object
) 对象的权限来提供对cross-account access to the objects in your buckets
权限。
The following AWS post https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ provides details on how to define the IAM policy
.以下 AWS 帖子https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/提供了有关如何定义
IAM policy
的详细信息。 In your case, you just need the Get object permission.在您的情况下,您只需要获取 object 权限。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.