问题
My understanding is,
Service control policy and resource based policies are mainly used to allow/deny cross account access to resources.
From the policy evaluation procedure explained here, I learned that IAM permission policy(managed or inline) is used to grant/deny permissions to Principal within an AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/Somerole",
"Effect": "Allow"
}
]
}
But above is the IAM permission policy, written to grant permissions to Principal in the source account, to have access(sts::AssumeRole) to other account resources(Somerole).
Can IAM permission policy be defined to allow Principal in source AWS account get permissions(sts:AssumeRole) to access resources(Somerole) that are present in other accounts(*:role)? In our case Principal is an IAM role in the source AWS account.
回答1:
The other account would need to have granted access to the account. The role in the other account would need a trust relationship similar to this (often it has conditions added to it as well):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AccountId_A>:root"
},
"Action": "sts:AssumeRole"
}
]
}
This example assumes that is the account you are granting the IAM permission in.
来源:https://stackoverflow.com/questions/60272651/can-iam-permission-policy-used-to-allow-access-to-cross-account-resource