堆栈内存溢出
  简体   繁体   English

AWS S3 存储桶 - 允许从特定 AWS 账户将文件下载到每个 IAM 和用户

[英]AWS S3 bucket - Allow download files to every IAM and Users from specific AWS Account

 原文  2021-02-04 14:33:19       amazon-web-services/ amazon-s3

问题描述

Look for a policy for S3 bucket that will allow all IAM roles and users from different account, to be able to download files from the bucket that is located in my AWS account.为 S3 存储桶寻找一个策略,该策略将允许来自不同账户的所有 IAM 角色和用户,以便能够从位于我的 AWS 账户中的存储桶下载文件。

Thanks for help感谢帮助

2 个解决方案

解决方案1
 2  2021-02-04 14:46:33

You can apply object level permissions to another account via a bucket policy.您可以通过存储桶策略将 object 级别的权限应用到另一个账户。

By using the principal of the root of the account, every IAM entity in that account is able to interact with the bucket using the permissions in your bucket policy.通过使用账户根的委托人,该账户中的每个 IAM 实体都可以使用您的存储桶策略中的权限与存储桶交互。

An example bucket policy using the root of the account is below.下面是使用帐户根的存储桶策略示例。

{
   "Version": "2012-10-17",
   "Statement": [
      {
         "Sid": "Example permissions",
         "Effect": "Allow",
         "Principal": {
            "AWS": "arn:aws:iam::AccountB-ID:root"
         },
         "Action": [
            "s3:GetBucketLocation",
            "s3:ListBucket"
         ],
         "Resource": [
            "arn:aws:s3:::awsexamplebucket1"
         ]
      }
   ]
}

More information is available in the Bucket owner granting cross-account bucket permissions documentation 桶拥有者授予跨账户桶权限文档中提供了更多信息

解决方案2
 1  2021-02-04 14:48:04

Fo that, you would need to provide a cross-account access to the objects in your buckets by giving the IAM role or user in the second Account permission to download ( GET Object ) objects from the needed bucket.为此,您需要通过授予第二个账户中的 IAM 角色或用户从所需存储桶下载 ( GET Object ) 对象的权限来提供对cross-account access to the objects in your buckets权限。

The following AWS post https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/ provides details on how to define the IAM policy .以下 AWS 帖子https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-s3/提供了有关如何定义IAM policy的详细信息。 In your case, you just need the Get object permission.在您的情况下,您只需要获取 object 权限。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 如何将驻留在账户 A 中的 s3 存储桶的访问权限授予来自多个 aws 账户的不同 iam 用户? - How to give access of s3 bucket residing in Account A to different iam users from multiple aws accounts? 如何允许访客 Amplify 用户使用 AWS Amplify iOS 开发工具包从我的 S3 存储桶下载文件? - How can I allow guest Amplify users to download files from my S3 bucket using the AWS Amplify iOS SDK? 如何在没有 AWS 帐户的情况下下载 S3 存储桶文件 - How to download S3 bucket files without AWS account 跨账户访问特定 AWS 账户中的 S3 存储桶的 IAM 角色策略 - IAM Role policy for cross account access to S3 bucket in a specific AWS account AWS S3 | 允许被授权者仅从存储桶下载对象 - AWS S3 | Allow grantee to ONLY download objects from the bucket AWS SFTP 必须允许用户在 S3 中下载带有特定标签的文件 - AWS SFTP must allow users to download files with a specific tags in S3 在 AWS S3 存储桶上设置 IAM 策略(允许更改 ACL) - Setting IAM Policy on AWS S3 Bucket (allow change ACL) 允许 IAM 用户访问 AWS S3 Bucket 中的特定文件夹以查看和上传对象 - Allow IAM user to access specific folder in AWS S3 Bucket to view and upload objects 允许用户访问特定 S3 存储桶以进行备份的 AWS IAM 策略 - AWS IAM Policy to allow user access to specific S3 bucket for backup 将文件从s3存储桶复制到另一个AWS账户 - Copy files from s3 bucket to another AWS account
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM