堆栈内存溢出
  简体   繁体   English

跨账户ssm启动session

[英]cross account ssm start session

 原文  2023-01-04 06:31:00       amazon-iam/ aws-ssm/ aws-organizations/ aws-systems-manager

问题描述

Was trying to start a session[terminal] via ssm on an instance in another account.试图通过 ssm 在另一个帐户的实例上启动会话 [终端]。 using command使用命令

aws ssm start-session --target i-yyyaf4692d801d1xx --region ap-south-1

but it was failing with response as "Target is not connected".但由于“目标未连接”而无法响应。

  • we get this response when the instance is usually not found in the inventory of Systems Manager.当通常在 Systems Manager 清单中找不到实例时,我们会收到此响应。 - which i can't add, as the instance is in another account - 我无法添加,因为实例在另一个帐户中

END Goal: I wish to use users created in Account A to be able to start sessions on instances on Account B. both part of the same organisation. END 目标:我希望使用在帐户 A 中创建的用户能够在帐户 B 上的实例上启动会话。两者都是同一组织的一部分。

Also,还,

  • my user has appropriate permissions have verified it through IAM Simulator我的用户有适当的权限已通过 IAM 模拟器验证
  • it seems instance IDs are unique and associated to one account only.似乎实例 ID 是唯一的并且仅与一个帐户相关联。
  • the instance is accessible by local users in that account.该实例可由该帐户中的本地用户访问。

1 个解决方案

解决方案1
 0  2023-01-04 07:04:54

You need to delegate access between the accounts.您需要在帐户之间委派访问权限。 You can do this by creating a role in the target account which is allowed to assumed by users in the other account.您可以通过在目标账户中创建一个允许其他账户中的用户担任的角色来执行此操作。

Setup the access:设置访问:

  1. Create an IAM role with necessary IAM permissions to access the instances in the target account (account B)创建具有必要 IAM 权限的 IAM 角色以访问目标账户(账户 B)中的实例
  2. Create a trust relationship on the role in the target account to trust the appropriate principals (users or roles) in the source account (account A).目标账户中的角色上创建信任关系,以信任源账户(账户 A)中的适当委托人(用户或角色)。
  3. Grant the appropriate principals (users or roles) in the the source account (account A) permission to call the sts assume-role API for the role in the target account (account B)授予源账户(账户 A)中适当的委托人(用户或角色)调用目标账户(账户 B)中角色的 sts assume-role API 的权限

Use the access:使用访问权限:

  1. From your user profile or role in account A, call the sts assume-role API to obtain credentials for the role you created in account B.从您在账户 A 中的用户配置文件或角色,调用 sts assume-role API 以获取您在账户 B 中创建的角色的凭证。
  2. Use the credentials returned by the sts assume-role call in order to call the API using the identity assumed in account B to access the resources.使用 sts assume-role 调用返回的凭据,以便使用账户 B 中假定的身份调用 API 来访问资源。

See: cross-account IAM access for more details.请参阅: 跨账户 IAM 访问以获取更多详细信息。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 让 SSM 启动会话使用 bash - Have SSM start-session use bash Step 函数跨账户访问 DynamoDB - Step functions cross account access to DynamoDB 来自 python lambda 的跨账户 CW 查询 - Cross account CW query from python lambda 跨账户 AWS Cognito Lambda 触发器 - Cross Account AWS Cognito Lambda Trigger 指向同一账户的跨账户 IAM 委托人:无操作? - Cross-account IAM principal pointing to same account: no-op? 跨账户 Lambda 从步骤 Function 调用 - Cross Account Lambda calls from Step Function 使用 OpenID Connect 的 AWS 跨账户角色 - AWS Cross-account Role with OpenID Connect 如何为 Cognito 担任跨账户角色? - How to Assume a Cross-Account Role for Cognito? 将数据传递到 session (IVR) 的开头 - Pass data to start of session (IVR) 跨账户访问 Lambda S3 with access key - Cross-account-access Lambda S3 with access key
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM