问题
I need to create a cross account role to access the resources of S3 bucket from another aws account that I owns.
Please help me to implement this using the cross account IAM role without using Access or secret keys.
回答1:
Let's say you have:
- Role A in Account A
- Instance A in Account A that is associated with Role A
- Bucket B in Account B
You wish to allow an application on Instance A to access the content of Bucket B.
The Request Information That You Can Use for Policy Variables documentation has a table showing various values of aws:userid including:
For Role assigned to an Amazon EC2 instance, it is set to
role-id:ec2-instance-id
Therefore, you could use the Role ID of the role associated with the Amazon EC2 instance to permit access OR the Instance ID.
For example, this bucket policy is based on a Role ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::MYBUCKET",
"arn:aws:s3:::MYBUCKET/*"
],
"Principal": "*",
"Condition": {
"StringLike": {
"aws:userid": [
"AROAIIPEUJOUGITIU5BB6*"
]
}
}
}
]
}
To obtain the Role ID, use:
aws iam get-role --role-name ROLENAME
This bucket policy is based on an Instance ID:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "SID123",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::MYBUCKET",
"arn:aws:s3:::MYBUCKET/*"
],
"Principal": "*",
"Condition": {
"StringLike": {
"aws:userid": [
"*:i-03c9a5f3fae4b630a"
]
}
}
}
]
}
The Instance ID will remain with the instance, but a new one will be assigned if a new instance is launched, even from the same Amazon Machine Image (AMI).
Of course, you'd probably want to restrict those permissions to just s3:GetObject rather than s3:*.
(This answer based on Granting access to S3 resources based on role name.)
来源:https://stackoverflow.com/questions/43643148/s3-cross-account-access-with-role