stackoom
  简体   繁体   中英

S3 Cross Account Access With Role

 原文  2017-04-26 19:39:36       amazon-web-services/ amazon-s3/ amazon-iam

Question

I need to create a cross account role to access the resources of S3 bucket from another aws account that I owns.

Please help me to implement this using the cross account IAM role without using Access or secret keys.

1 answers

solution1
 3 ACCPTED  2017-04-27 05:19:02

Let's say you have:

  • Role A in Account A
  • Instance A in Account A that is associated with Role A
  • Bucket B in Account B

You wish to allow an application on Instance A to access the content of Bucket B.

The Request Information That You Can Use for Policy Variables documentation has a table showing various values of aws:userid including:

For Role assigned to an Amazon EC2 instance , it is set to role-id:ec2-instance-id

Therefore, you could use the Role ID of the role associated with the Amazon EC2 instance to permit access OR the Instance ID .

For example, this bucket policy is based on a Role ID : 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SID123",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::MYBUCKET",
                "arn:aws:s3:::MYBUCKET/*"
            ],
            "Principal": "*",
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "AROAIIPEUJOUGITIU5BB6*"
                    ]
                }
            }
        }
    ]
}

To obtain the Role ID, use: 

aws iam get-role --role-name ROLENAME

This bucket policy is based on an Instance ID : 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "SID123",
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": [
                "arn:aws:s3:::MYBUCKET",
                "arn:aws:s3:::MYBUCKET/*"
            ],
            "Principal": "*",
            "Condition": {
                "StringLike": {
                    "aws:userid": [
                        "*:i-03c9a5f3fae4b630a"
                    ]
                }
            }
        }
    ]
}

The Instance ID will remain with the instance, but a new one will be assigned if a new instance is launched, even from the same Amazon Machine Image (AMI).

Of course, you'd probably want to restrict those permissions to just s3:GetObject rather than s3:* .

(This answer based on Granting access to S3 resources based on role name .)

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Role-based cross-account S3 access Cross account S3 access from the same AWS role S3 Cross account access IAM Role policy for cross account access to S3 bucket in a specific AWS account Give S3 Full access cross account Cross Account S3 Access for a public buket Cross account S3 access with CannedACL S3 cross account access involving 3 accounts AWS Datasync S3 -> S3 cross account, confused about destination role/account Accessing an S3 Bucket in Account A from an EC2 Instance in Account B using a Cross-Account Role
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM