stackoom
  简体   繁体   中英

CloudFormation, S3 bucket access to cross-acccount IAM role

 原文  2020-03-12 21:34:40       amazon-web-services/ amazon-cloudformation

Question

I have 2 accounts, s3_buck_acct and iam_acct . I want to provision IAM role from iam_acct to certain actions on the S3 bucket from s3_buck_acct .

Here is the CloudFormation template I came up with that ends up with error:

Resources:
  S3BucketTest:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: "cross-acct-permission-demo"
      LifecycleConfiguration:
        Rules:
        - Id: LifecycleExpRule 
          ExpirationInDays: '3650'
          Status: Enabled
      BucketEncryption: 
        ServerSideEncryptionConfiguration:
          - ServerSideEncryptionByDefault:
              SSEAlgorithm: AES256

  S3CURBucketPolicy: 
    Type: AWS::S3::BucketPolicy
    Properties: 
      Bucket: 
        !Ref S3BucketTest
      PolicyDocument: 
        Statement: 
          - Action:
                - 's3:ListBucket'
                - 's3:ListBucketMultipartUploads'
                - 's3:PutObject'
                - 's3:GetObject'
            Effect: "Allow"
            Resource: 
              - "arn:aws:s3:::cross-acct-perm-demo"
              - "arn:aws:s3:::cross-acct-perm-demo/*"
            Principal: "arn:aws:iam::1234567890:role/service-role/test-role-20190828T130835"
          - Action: "*"
            Resource: !Join [ '', ["arn:aws:s3:::", !Ref S3BucketTest, '/*']]
            Principal: '*'
            Effect: Deny
            Condition:
              Bool:
                'aws:SecureTransport':
                  - 'false'

Error message:

Invalid policy syntax. (Service: Amazon S3; Status Code: 400; Error Code: MalformedPolicy; Request ID: 91BF8921047D9D3B; S3 Extended Request ID: ZOVOzmFZYN6yB1btOqMqgJjOpzfiUpP86c2XiVylzYkg37fGga8/eYDL7C4WzwhmcDGU7NJkL68=)

Not sure where I got this wrong. Can I provision S3 bucket access to cross-account IAM? From the console permissions section, I was able to do it.

2 answers

solution1
 2  2020-03-12 22:38:13

Your bucket is called cross-acct-permission-demo but your policy specifies cross-acct-perm-demo . Also your indentation is not correct for the first Action (though it should not cause this issue). Also not sure if the service-role principle is correct in this context.

solution2
 1  2020-03-12 22:01:23

If you want IAM users in account A to be able to access resources in account B then you create an IAM role in account B that gives access to the relevant resources in account B, then you define account A as a trusted entity for the IAM role, then you permit access to that role to the relevant users in account A. Those users in account A can now assume the (cross-account) role in account B, and gain access to resources in account B.

See Tutorial: Delegate Access Across AWS Accounts Using IAM Roles

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Defining IAM Roles for Identity Pool with CloudFormation to access s3 bucket IAM Role policy for cross account access to S3 bucket in a specific AWS account Can I use existing AWS IAM role to create S3 bucket via Cloudformation template? S3 Bucket Policy and IAM Role Conflicting AWS CloudFormation Template for an IAM Group That May Only Access a Specific S3 Bucket How do I limit access to S3 Bucket for particular IAM Role? Create an IAM Role that makes Redshift able to access S3 bucket (ReadOnly) CloudFormation Lambda S3 bucket access denied Update IAM policy for S3 bucket using cloudformation How to lockdown S3 bucket to specific users and IAM role(s)
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM