堆栈内存溢出
  简体   繁体   English

使用跨账户角色从账户 B 中的 EC2 实例访问账户 A 中的 S3 存储桶

[英]Accessing an S3 Bucket in Account A from an EC2 Instance in Account B using a Cross-Account Role

 原文  2021-10-21 03:58:41       amazon-web-services/ amazon-s3/ amazon-ec2/ amazon-iam/ aws-code-deploy

问题描述

Introduction介绍

  • Account-A
    • There is an S3 bucket ( sample-s3-bucket-in-account-a ) in this account此帐户中有一个 S3 存储桶 ( sample-s3-bucket-in-account-a )
    • This S3 bucket is configured with server-side encryption using AWS KMS ( SSE-KMS )此 S3 存储桶使用AWS KMS ( SSE-KMS ) 配置了服务器端加密
    • The AMS KMS key is aws/s3 (AWS managed key) AMS KMS 密钥是aws/s3 (AWS 托管密钥)
    • The bucket has no bucket policy该存储桶没有存储桶策略
    • There is an IAM cross-account role ( sample-cross-account-role-4-s3-access-in-account-a ) created in this account此账户中创建了一个 IAM 跨账户角色 ( sample-cross-account-role-4-s3-access-in-account-a )
      • Account-B is the trusted entity (trust policy) Account-B是可信实体(信任策略)
      • The permission policy allows the following actions on the S3 bucket ( sample-s3-bucket-in-account-a ):权限策略允许对 S3 存储桶 ( sample-s3-bucket-in-account-a ) 执行以下操作:
        • s3:ListBucket
        • s3:GetBucketLocation
        • s3:GetObject
  • Account-B
    • There is an EC2 instance in this account此账户中有一个 EC2 实例
    • There is also an IAM instance profile and role ( sample-iam-role-4-ec2-in-account-b )还有一个 IAM 实例配置文件和角色( sample-iam-role-4-ec2-in-account-b
    • The IAM instance profile has permission to assume the cross-account role ( sample-cross-account-role-4-s3-access-in-account-a ) created in Account-A IAM 实例配置文件有权sample-cross-account-role-4-s3-access-in-account-aAccount-A创建的跨账户角色 ( sample-cross-account-role-4-s3-access-in-account-a )
    • The IAM instance profile is attached to the EC2 instance IAM 实例配置文件附加到 EC2 实例

Given Facts鉴于事实

  • I can generate temporary STS credentials on the EC2 instance in Account-B using aws sts assume-role --role-arn arn:aws:iam::[ACCOUNT-A]:role/sample-cross-account-role-4-s3-access-in-account-a --role-session-name s3-cross-account-access-session .我可以使用aws sts assume-role --role-arn arn:aws:iam::[ACCOUNT-A]:role/sample-cross-account-role-4-s3-access-in-account-a --role-session-name s3-cross-account-access-sessionAccount-B的 EC2 实例上生成临时 STS 凭证aws sts assume-role --role-arn arn:aws:iam::[ACCOUNT-A]:role/sample-cross-account-role-4-s3-access-in-account-a --role-session-name s3-cross-account-access-session Using these temporary STS credentials, I can list objects present in the S3 bucket in Account-A使用这些临时 STS 凭证,我可以列出Account-A S3 存储桶中存在的对象
  • I can create a profile in the ~/.aws/config file and use that profile name in aws CLI to access objects present in the S3 bucket in Account-A (Reference: https://aws.amazon.com/premiumsupport/knowledge-center/s3-instance-access-bucket/ )我可以创建一个profile~/.aws/config文件,并使用该profile name在AWS CLI来访问在S3存储桶现在的对象Account-A参考: https://aws.amazon.com/premiumsupport/knowledge -center/s3-instance-access-bucket/ )

Problem问题

  • I have a CodeDeploy agent running on the EC2 instance我有一个在 EC2 实例上运行的CodeDeploy代理
  • The CodeDeploy agent uses AWS SDK for Ruby CodeDeploy代理使用AWS SDK for Ruby
  • The CodeDeploy agent runs using root privileges CodeDeploy代理使用root权限运行
  • The CodeDeploy agent is internally generating STS credentials using the sample-iam-role-4-ec2-in-account-b instance profile/role ( http://169.254.169.254/latest/meta-data/iam/security-credentials/sample-iam-role-4-ec2-in-account-b ) CodeDeploy代理使用sample-iam-role-4-ec2-in-account-b实例配置文件/角色sample-iam-role-4-ec2-in-account-b内部生成 STS 凭证 ( http://169.254.169.254/latest/meta-data/iam/security-credentials/sample-iam-role-4-ec2-in-account-b )
  • Unfortunately, these temporary STS credentials are not allowing CodeDeploy agent to download objects from the S3 bucket in Account-A不幸的是,这些临时 STS 凭证不允许CodeDeploy代理从Account-A的 S3 存储桶下载对象
  • There is an Access Denied error in the log日志中有Access Denied错误
  • I can make things work by using the S3 bucket policy but the requirement is to use a cross-account IAM role我可以通过使用 S3 存储桶策略来完成工作,但要求是使用跨账户 IAM 角色

Can anyone please tell me how I can make or configure CodeDeploy agent running in Account-B to assume sample-cross-account-role-4-s3-access-in-account-a instead of sample-iam-role-4-ec2-in-account-b ?谁能告诉我如何制作或配置在Account-B运行的CodeDeploy代理以假设sample-cross-account-role-4-s3-access-in-account-a而不是sample-iam-role-4-ec2-in-account-b ?

1 个解决方案

解决方案1
 0  2021-10-21 04:15:25

I can make things work by using the S3 bucket policy but the requirement is to use a cross-account IAM role我可以通过使用 S3 存储桶策略来完成工作,但要求是使用跨账户 IAM 角色

You can't do this, unless you write your own program which will run as part of appspec.yml .您不能这样做,除非您编写自己的程序,该程序将作为appspec.yml一部分运行。 Your program would have to "manually" assume the role and get S3 object.您的程序必须“手动”承担角色并获取 S3 对象。

Otherwise, S3 bucket policy is the only why to do this.否则,S3 存储桶策略是执行此操作的唯一原因。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 允许从 Amazon EC2 实例跨账户访问 Amazon S3 存储桶 - Allow cross-account access from an Amazon EC2 instance to an Amazon S3 bucket 跨账户 S3 存储桶权限 - Cross-account S3 bucket permissions 具有EC2实例配置文件的AWS CloudWatch跨账户日志记录 - AWS CloudWatch Cross-Account Logging with EC2 Instance Profile 具有跨账户 IAM 角色的 EC2 实例 - EC2 instance with a cross account IAM role 适用于跨账户访问的AWS S3存储桶控制策略 - AWS S3 bucket control policy for cross-account access 基于角色的跨账户 S3 访问 - Role-based cross-account S3 access 使用boto3和python在S3存储桶中跨账户文件上传 - cross-account file upload in S3 bucket using boto3 and python 跨账户统计EC2实例数量 - Count the number of EC2 instances cross-account 将数据从一个帐户中托管的AWS EC2 Windows实例导出到S3到另一个帐户 - Export Data from AWS EC2 windows instance hosted in one account to S3 to another account 授予 EC2 实例中的代码访问另一个账户的 S3 存储桶的权限 - Granting code in EC2 instance access to S3 bucket of another account
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM