[英]Chaining STS assume role across 3 aws accounts
There is an AWS account A, which has a resource X managed by policy Pax.有一个 AWS 账户 A,它有一个由策略 Pax 管理的资源 X。 It adds the second AWS account B to a role which attaches the policy Pax, let's call this role Rax.
它将第二个 AWS 账户 B 添加到附加策略 Pax 的角色中,我们称此角色为 Rax。 Now within the AWS account B, I create another policy for assuming role Rax, let's call it Pbrax and added it to a role RPbrax where the Principal is an AWS account C.
现在,在 AWS 账户 B 中,我创建了另一个策略来扮演角色 Rax,我们称之为 Pbrax,并将其添加到角色 RPbrax,其中 Principal 是 AWS 账户 C。
When I try to access the resource X via the account C, I get access denied.当我尝试通过帐户 C 访问资源 X 时,我被拒绝访问。 I cannot touch anything in AWS account A, but in B and C.
我无法触摸 AWS 账户 A 中的任何内容,但在 B 和 C 中。
Role permissions are not cumulative.角色权限不是累积的。
This means the history of the role chaining doesn't help you - the principal in account C needs to have its own access to the resources in account X if needs to access them.这意味着角色链接的历史对您没有帮助 - 账户 C 中的委托人需要对账户 X 中的资源拥有自己的访问权限才能访问它们。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.