stackoom
  简体   繁体   中英

Chaining STS assume role across 3 aws accounts

 原文  2022-05-22 11:03:57       amazon-web-services/ amazon-iam

Question

There is an AWS account A, which has a resource X managed by policy Pax. It adds the second AWS account B to a role which attaches the policy Pax, let's call this role Rax. Now within the AWS account B, I create another policy for assuming role Rax, let's call it Pbrax and added it to a role RPbrax where the Principal is an AWS account C.

When I try to access the resource X via the account C, I get access denied. I cannot touch anything in AWS account A, but in B and C.

1 answers

solution1
 1 ACCPTED  2022-05-23 00:55:30

Role permissions are not cumulative.

This means the history of the role chaining doesn't help you - the principal in account C needs to have its own access to the resources in account X if needs to access them.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question AWS Assume Role STS AWS Lambda, STS - Assume Role For DynamoDB AWS: STS Assume Role not working for user AWS sts assume role in one command AWS STS Assume Role: Get session token aws sts assume role returns accesskeyid masked "***" Aws STS assume role for calling API Gateway Is it possible to access aws resources from different region across accounts using aws assume-role Configure AWS EMR spark with aws sts assume-role AWS STS assume role “unable to locate credentials” in docker container
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM