[英]Accessing an S3 Bucket in Account A from an EC2 Instance in Account B using a Cross-Account Role
Account-A
sample-s3-bucket-in-account-a
) in this accountsample-s3-bucket-in-account-a
)AWS KMS
( SSE-KMS
)AWS KMS
( SSE-KMS
) 配置了服务器端加密aws/s3
(AWS managed key) aws/s3
(AWS 托管密钥)sample-cross-account-role-4-s3-access-in-account-a
) created in this accountsample-cross-account-role-4-s3-access-in-account-a
)
Account-B
is the trusted entity (trust policy) Account-B
是可信实体(信任策略)sample-s3-bucket-in-account-a
):sample-s3-bucket-in-account-a
) 执行以下操作:
s3:ListBucket
s3:GetBucketLocation
s3:GetObject
Account-B
sample-iam-role-4-ec2-in-account-b
)sample-iam-role-4-ec2-in-account-b
)sample-cross-account-role-4-s3-access-in-account-a
) created in Account-A
sample-cross-account-role-4-s3-access-in-account-a
在Account-A
创建的跨账户角色 ( sample-cross-account-role-4-s3-access-in-account-a
)Account-B
using aws sts assume-role --role-arn arn:aws:iam::[ACCOUNT-A]:role/sample-cross-account-role-4-s3-access-in-account-a --role-session-name s3-cross-account-access-session
.aws sts assume-role --role-arn arn:aws:iam::[ACCOUNT-A]:role/sample-cross-account-role-4-s3-access-in-account-a --role-session-name s3-cross-account-access-session
在Account-B
的 EC2 实例上生成临时 STS 凭证aws sts assume-role --role-arn arn:aws:iam::[ACCOUNT-A]:role/sample-cross-account-role-4-s3-access-in-account-a --role-session-name s3-cross-account-access-session
。 Using these temporary STS credentials, I can list objects present in the S3 bucket in Account-A
Account-A
S3 存储桶中存在的对象profile
in the ~/.aws/config
file and use that profile name
in aws CLI to access objects present in the S3 bucket in Account-A
(Reference: https://aws.amazon.com/premiumsupport/knowledge-center/s3-instance-access-bucket/ )profile
在~/.aws/config
文件,并使用该profile name
在AWS CLI来访问在S3存储桶现在的对象Account-A
参考: https://aws.amazon.com/premiumsupport/knowledge -center/s3-instance-access-bucket/ )CodeDeploy
agent running on the EC2 instanceCodeDeploy
代理CodeDeploy
agent uses AWS SDK for Ruby
CodeDeploy
代理使用AWS SDK for Ruby
CodeDeploy
agent runs using root
privileges CodeDeploy
代理使用root
权限运行CodeDeploy
agent is internally generating STS credentials using the sample-iam-role-4-ec2-in-account-b
instance profile/role ( http://169.254.169.254/latest/meta-data/iam/security-credentials/sample-iam-role-4-ec2-in-account-b
) CodeDeploy
代理使用sample-iam-role-4-ec2-in-account-b
实例配置文件/角色sample-iam-role-4-ec2-in-account-b
内部生成 STS 凭证 ( http://169.254.169.254/latest/meta-data/iam/security-credentials/sample-iam-role-4-ec2-in-account-b
)CodeDeploy
agent to download objects from the S3 bucket in Account-A
CodeDeploy
代理从Account-A
的 S3 存储桶下载对象Access Denied
error in the logAccess Denied
错误Can anyone please tell me how I can make or configure CodeDeploy
agent running in Account-B
to assume sample-cross-account-role-4-s3-access-in-account-a
instead of sample-iam-role-4-ec2-in-account-b
?谁能告诉我如何制作或配置在
Account-B
运行的CodeDeploy
代理以假设sample-cross-account-role-4-s3-access-in-account-a
而不是sample-iam-role-4-ec2-in-account-b
?
I can make things work by using the S3 bucket policy but the requirement is to use a cross-account IAM role
我可以通过使用 S3 存储桶策略来完成工作,但要求是使用跨账户 IAM 角色
You can't do this, unless you write your own program which will run as part of appspec.yml
.您不能这样做,除非您编写自己的程序,该程序将作为
appspec.yml
一部分运行。 Your program would have to "manually" assume the role and get S3 object.您的程序必须“手动”承担角色并获取 S3 对象。
Otherwise, S3 bucket policy is the only why to do this.否则,S3 存储桶策略是执行此操作的唯一原因。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.