1. 首頁
  2. 問答
  3. 設置IAM用戶/角色的跨賬戶訪問權限

設置IAM用戶/角色的跨賬戶訪問權限

2017-10-18 195 views
0

我有一個主賬戶用戶,我想允許訪問子賬戶S3存儲桶。我已經安裝了下面的堆棧在我的子賬戶設置IAM用戶/角色的跨賬戶訪問權限

AWSTemplateFormatVersion : '2010-09-09' 
Description: 'Skynet stack to allow admin account deploying user to access S3' 

Parameters: 
    AccountId: 
    Type: String 
    Description: Account ID of admin account (containing user to allow) 
    Username: 
    Type: String 
    Description: Username to be allowed access 
    BucketPrefix: 
    Type: String 
    Description: Bucket to be allowed (prefix appended with -{AccountId}-{Region}) 

Resources: 
    CrossAccountRole: 
    Type: AWS::IAM::Role 
    Properties: 
     AssumeRolePolicyDocument: 
     Statement: 
      - Effect: Allow 
      Action: sts:AssumeRole 
      Principal: 
       AWS: 
       - !Sub arn:aws:iam::${AccountId}:user/${Username} 
     Path:/
     Policies: 
     - PolicyName: skynet-s3-delegate 
      PolicyDocument: 
      Statement: 
       - Effect: Allow 
       Action: 
        - s3:ListBucket 
        - s3:GetObject 
       Resource: "*"

但我發現,當我嘗試承擔該角色,我仍然得到一個錯誤:

aws s3 cp skynet-lambda.zip s3://skynet-lambda-TARGET_ACCOUNT_ID-ap-southeast-1 --profile skynetci-cross-account

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::MAIN_ACCOUNT_ID:user/circleci-skynet is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::TARGET_ACCOUNT_ID:role/StackSet-df0e85b0-d6fd-47bf-a0bb-CrossAccountRole-1EW45TXEFAY0D

爲什麼這麼考慮我已經對用戶有以下政策

{ 
     "Effect": "Allow", 
     "Action": [ 
      "sts:AssumeRole" 
     ], 
     "Resource": "arn:aws:iam::TARGET_ACCOUNT_ID:role/StackSet-df0e85b0-d6fd-47bf-a0bb-CrossAccountRole-1EW45TXEFAY0D" 
    }

來源

2017-10-18 Jiew Meng

回答

6

你需要有鬥策略更新,以允許跨賬戶訪問樣本政策會是這樣的:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
     "Sid": "Example permissions", 
     "Effect": "Allow", 
     "Principal": { 
      "AWS": "arn:aws:iam::AccountB-ID:root" 
     }, 
     "Action": [ 
      "s3:*" 
     ], 
     "Resource": [ 
      "arn:aws:s3:::examplebucket" 
     ] 
     } 
    ] 
}

也使誰試圖訪問確保IAM用戶連接此內嵌政策:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
     "Sid": "Example", 
     "Effect": "Allow", 
     "Action": [ 
      "s3:*" 
     ], 
     "Resource": [ 
      "arn:aws:s3:::examplebucket" 
     ] 
     } 
    ] 
}

你可以參考AWS Documentation

來源

2017-10-26 16:05:11

0

爲了實現你的目標,你需要設置一個桶政策在目標S3存儲桶:

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
      "Sid": "DelegateS3Access", 
      "Effect": "Allow", 
      "Principal": { 
       "AWS": "arn:aws:iam::MAIN_ACCOUNT_ID:USER_NAME" 
      }, 
      "Action": "s3:*", 
      "Resource": [ 
       "arn:aws:s3:::BUCKET_NAME/*", 
       "arn:aws:s3:::BUCKET_NAME" 
      ] 
     } 
    ] 
}

並允許此用戶使用S3權限。

{ 
    "Version": "2012-10-17", 
    "Statement": [ 
     { 
     "Sid": "Example", 
     "Effect": "Allow", 
     "Action": [ 
      "s3:*" 
     ], 
     "Resource": [ 
      "*"    
     ] 
     } 
    ] 
}

在這種情況下,您不需要在目標帳戶上擔任角色。用戶本身將能夠訪問另一個帳戶中的存儲分區。

來源

2017-10-26 16:16:33

1

我附上了一個使用我的兩個賬戶進行測試的工作示例。

STEP 1:CloudFormation YAML模板:

AWSTemplateFormatVersion : '2010-09-09' 
Description: 'Skynet stack to allow admin account deploying user to access S3' 

Parameters: 
    AccountId: 
    Type: String 
    Description: Account ID of admin account (containing user to allow) 
    Username: 
    Type: String 
    Description: Username to be allowed access 
    BucketPrefix: 
    Type: String 
    Description: Bucket to be allowed (prefix appended with -{AccountId}-{Region}) 

Resources: 
    CrossAccountRole: 
    Type: AWS::IAM::Role 
    Properties: 
     AssumeRolePolicyDocument: 
     Statement: 
      - Effect: Allow 
      Action: sts:AssumeRole 
      Principal: 
       AWS: 
       - !Sub arn:aws:iam::${AccountId}:user/${Username} 
     Path:/
     Policies: 
     - PolicyName: skynet-s3-delegate 
      PolicyDocument: 
      Statement: 
       - Effect: Allow 
       Action: 
        - s3:ListBucket 
        - s3:GetObject 
       Resource: "*" 
    RootInstanceProfile: 
    Type: "AWS::IAM::InstanceProfile" 
    Properties: 
     Path: "/" 
     Roles: 
      - 
      Ref: "CrossAccountRole"

第2步:創建跨帳戶配置

修改〜/ .aws /憑證。添加一個名爲「skynetci-cross-account」的新配置文件。根據您在STEP 1中創建的參數進行修改。您需要角色arn來替換下面的角色。您還需要您授予的帳戶的配置文件名稱。在這個例子中,配置文件名稱是「default」。

這裏舉例:

[skynetci-cross-account] 
role_arn = arn:aws:iam::191070ABCDEF:role/Test-CrossAccountRole-IZDDLRUMABCD 
source_profile = default

3步:測試交叉存取

AWS --profile skynetci交賬戶S3 LS S3://桶名稱

來源

2017-10-27 22:09:57

+0

因此,與原來的不同是InstanceProfile部分?我查找了它,並且它被認爲與EC2實例一起使用? Isit在沒有EC2的情況下正確使用?實際情況是什麼?這聽起來只是一個角色? 它如何比較S3存儲桶方法? –

+0

是的,這是正確的。我從我的桌面進行測試。S3 bucket方法是實現相同目標的另一種方式。注意:我把你的cloudformation模板,然後糾正它,因爲這是你的問題要求。 –

+0

謝謝你的替代方法。看起來像大多數人我喜歡使用S3桶政策路線。我想我會用它來代替。不知怎的,它更直觀。就像在這種情況下,我並不真正瞭解實例配置文件的功能 –

相關問題

 相關問題