[英]AWS EC2 Access Denied S3 Cross Account
I have two aws accounts A and B.我有两个aws帐户A和B。
In the account A, I have an EC2 running inside a vpc in a private subnet that has a NAT on.在账户 A 中,我有一个 EC2 在一个私有子网中的一个 vpc 内运行,该子网开启了 NAT。 This EC2 has the following role:
此 EC2 具有以下作用:
AWS Account A - EC2 Role Trusted entities: AWS 账户 A - EC2 角色 受信任实体:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
} }
AWS Account A - EC2 Role Policy: AWS 账户 A - EC2 角色策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-B-NUMBER:role/aws-access-s3"
}
]
}
In the account B, I created an aws account role passing the aws account A number.在账户 B 中,我创建了一个 aws 账户角色,传递了 aws 账户 A 编号。
AWS Account B - Role aws-access-s3 Trusted entities: AWS 账户 B - 角色 aws-access-s3 可信实体:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT-A-NUMBER:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
AWS Account B - Role aws-access-s3 Policy: AWS 账户 B - 角色 aws-access-s3 策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*",
"s3-object-lambda:*"
],
"Resource": "*"
}
]
}
These are my setup and when I try to run the command to list the account B buccket inside the ec2 in Account A I'm getting the error:这些是我的设置,当我尝试运行命令以在账户 A 的 ec2 中列出账户 B 存储桶时,出现错误:
aws s3 ls bucket-name-account-b
Returns:回报:
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied
I don't know what I'm missing, I hope someone can help me.我不知道我错过了什么,我希望有人能帮助我。
You need to make a profile to make this process automatic.您需要创建一个配置文件以使此过程自动化。 You can add the following to your
.aws/config
file您可以将以下内容添加到您的
.aws/config
文件中
[profile mys3profile]
region = $region
output = json
and the following to your .aws/credentials
file.并将以下内容添加到您的
.aws/credentials
文件中。
[mys3profile]
role_arn = arn:aws:iam::accountb:role/yourrole
credential_source = Ec2InstanceMetadata
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.