堆栈内存溢出
  简体   繁体   English

AWS EC2 访问被拒绝 S3 跨账户

[英]AWS EC2 Access Denied S3 Cross Account

 原文  2022-09-21 14:19:36       amazon-web-services/ amazon-s3/ amazon-ec2/ amazon-iam/ roles

问题描述

I have two aws accounts A and B.我有两个aws帐户A和B。

In the account A, I have an EC2 running inside a vpc in a private subnet that has a NAT on.在账户 A 中,我有一个 EC2 在一个私有子网中的一个 vpc 内运行,该子网开启了 NAT。 This EC2 has the following role:此 EC2 具有以下作用:

AWS Account A - EC2 Role Trusted entities: AWS 账户 A - EC2 角色 受信任实体:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Principal": {
            "Service": "ec2.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
]

} }

AWS Account A - EC2 Role Policy: AWS 账户 A - EC2 角色策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::ACCOUNT-B-NUMBER:role/aws-access-s3"
        }
    ]
}

In the account B, I created an aws account role passing the aws account A number.在账户 B 中,我创建了一个 aws 账户角色,传递了 aws 账户 A 编号。

AWS Account B - Role aws-access-s3 Trusted entities: AWS 账户 B - 角色 aws-access-s3 可信实体:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::ACCOUNT-A-NUMBER:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

AWS Account B - Role aws-access-s3 Policy: AWS 账户 B - 角色 aws-access-s3 策略:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:*",
                "s3-object-lambda:*"
            ],
            "Resource": "*"
        }
    ]
}

These are my setup and when I try to run the command to list the account B buccket inside the ec2 in Account A I'm getting the error:这些是我的设置,当我尝试运行命令以在账户 A 的 ec2 中列出账户 B 存储桶时,出现错误:

aws s3 ls bucket-name-account-b

Returns:回报:

An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

I don't know what I'm missing, I hope someone can help me.我不知道我错过了什么,我希望有人能帮助我。

1 个解决方案

解决方案1
 1 已采纳  2022-09-21 15:58:54

You need to make a profile to make this process automatic.您需要创建一个配置文件以使此过程自动化。 You can add the following to your .aws/config file您可以将以下内容添加到您的.aws/config文件中

[profile mys3profile]
region = $region
output = json

and the following to your .aws/credentials file.并将以下内容添加到您的.aws/credentials文件中。

[mys3profile]   
role_arn = arn:aws:iam::accountb:role/yourrole
credential_source = Ec2InstanceMetadata

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 从不同帐户上的 ec2 实例上传文件时,aws s3 上的访问被拒绝错误 - Access denied error on aws s3 when uploading a file from an ec2 instance that is on a different account 来自 EC2 和 Lambda 的 AWS S3 访问被拒绝 - AWS S3 Access Denied from EC2 and Lambda AWS EC2 IAM 角色访问在 S3 上被拒绝 - AWS EC2 IAM role access denied on S3 从EC2实例拒绝AWS S3 403访问 - AWS S3 403 Access Denied from EC2 instance EC2 (VPC) 拒绝 AWS S3 访问点访问 - AWS S3 Access point access denied from EC2 (VPC) 允许从 Amazon EC2 实例跨账户访问 Amazon S3 存储桶 - Allow cross-account access from an Amazon EC2 instance to an Amazon S3 bucket 由 AWS Managed Key 加密的 AWS Cross Account S3 PutObject 中的访问被拒绝问题 - Access Denied issue in AWS Cross Account S3 PutObject encrypted by AWS Managed Key AWS S3 存储桶策略访问被拒绝标签条件 EC2 - AWS S3 Bucket Policy Access Denied Tag Condition EC2 从EC2实例到S3的AWS Codedploy代理访问被拒绝 - AWS Codedploy Agent Access denied from EC2 instance to S3 基于 S3 存储桶的 AWS Cloudfront 分配,跨账户对象被拒绝访问 - AWS Cloudfront distribution based on S3 bucket with cross-account objects getting Access denied
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM