跨账户访问S3,如果在原始账户登录,则可以实现,但如果从另一个账户扮演角色,则无法实现?
【以下的问题经过翻译处理】 当我直接登录源账户时,我可以访问目标账户的S3:
[cloudshell-user@ip-10-0-91-7 ~]$ aws sts get-caller-identity { "UserId": "AIDAxxxxxxxxJBLJ34", "Account": "178xxxxxx057", "Arn": "arn:aws:iam::178xxxxxx057:user/adminCustomer" }
[cloudshell-user@ip-10-0-91-7 ~]$ aws s3 ls s3://target-account-bucket 2022-03-10 01:28:05 432 foobar.txx
但是,如果我在那个账户中扮演一个角色后再进行访问,我就无法访问目标账户了:
[cloudshell-user@ip-10-1-12-136 ~]$ aws sts get-caller-identity { "UserId": "AROAxxxxxxF5HI7BI:test", "Account": "178xxxxxx057", "Arn": "arn:aws:sts::178xxxxxx4057:assumed-role/ReadAnalysis/test" }
[cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://targer-account-bucket
发生了一个错误(AccessDenied),当调用ListObjectsV2操作时:访问被拒绝 [cloudshell-user@ip-10-1-12-136 ~]$
但是,我可以访问源账户中的存储桶:
[cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://origin-account
2022-03-09 21:19:36 432 cli_script.txt
目标账户的策略如下:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::178xxxxxx057:root"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::targer-account-bucket/*",
"arn:aws:s3:::targer-account-bucket"
]
},
没有任何明确的拒绝
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
Relevanter Inhalt
AWS OFFICIALAktualisiert vor 7 Monaten- AWS OFFICIALAktualisiert vor einem Jahr