amazon-web-services - 将跨账户角色的 IAM 用户限制为单个存储桶
问题描述
我希望用于跨账户的 Iam 策略仅访问单个 S3 存储桶,如下例所示,但它因权限被拒绝而失败。当我在 AccountA 的控制台上切换到跨账户角色并尝试访问 accountB 中的 S3 存储桶时,会发生故障。但是,当我更改 Iam 策略上的“资源”以允许所有内容时,我可以查看 accountB 中的 S3 存储桶。
xx.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket/"
]
}
]
}
但是,当我更改 Iam 策略上的“资源”以允许所有内容时,我可以查看 accountB 中的 S3 存储桶。例如
xxx.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "*"
]
}
]
}
但这不是我想要的。
使用的其他文件包括:
xx.tpl
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "${Sid}",
"Effect": "${Effect}",
"Action": "${Action}",
"Resource": "${Resource}"
}
]
}
xx.tf
data "aws_iam_policy_document" "s3_write" {
count = length(var.s3_bucket_names)
statement {
actions = ["s3:PutObject", "s3:DeleteObject", "s3:DeleteObjectVersion", "s3:PutObjectAcl", "s3:List*", "s3:Get*", "s3:*"]
resources = ["arn:aws:s3:::${aws_s3_bucket.mybucket[count.index].id}/*", "arn:aws:s3:::${aws_s3_bucket.mybucket[count.index].id}"]
principals {
identifiers = var.principals
type = "AWS"
}
}
resource "aws_s3_bucket_policy" "s3_lb" {
count = length(var.s3_bucket_names)
bucket = aws_s3_bucket.mybucket[count.index].id
policy = data.aws_iam_policy_document.s3_write[count.index].json
}
s3 存储桶策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::xxxx:role/test-role1",
"arn:aws:iam::xxxx:role/test-role2",
"arn:aws:iam::xxxx:role/test-role3",
"arn:aws:iam::xxxx-other:role/s3-list-role"
]
},
"Action": [
"s3:PutObjectAcl",
"s3:PutObject",
"s3:List*",
"s3:Get*",
"s3:DeleteObjectVersion",
"s3:DeleteObject",
"s3:*"
],
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket"
]
}
]
}
解决方案
我改变了这个:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "mysid",
"Action": "s3:*",
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::mybucket/*",
"arn:aws:s3:::mybucket/"
]
}
]
}
对此:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::mybucket"
]
},
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::mybucket/*"
]
}
]
}
授予我的 IAM 用户对控制台和 CLI 的跨账户访问权限。控制台跨账户访问需要第一个允许语句。
推荐阅读
- python - 错误:x 和 y 必须具有相同的第一维。为什么?
- python - Keras 自定义损失函数 - 如何访问实际的真值和预测
- ios - 如何处理 FCM 通知而不在 IOS 上键入弹出窗口
- html - 转到另一个页面时的活动导航栏
- sql-server - 无法将 SQL 表值从 Powershell 插入 SQL Server
- reactjs - React 中的 Flickity 单元格选择器
- ruby-on-rails - 没有这样的文件或目录@rb_sysopen -
- jmeter - jmeter线程组中的持续时间
- javascript - 在 react-native 上使用 useEffect 挂钩的无限循环
- r - 如何运行一个 for 循环子集多个列表,所有这些列表都包含数据帧