1 Antwort
- Neueste
- Die meisten Stimmen
- Die meisten Kommentare
0
Yes, that is possible. In Account A, create an IAM role with permissions to access the RDS snapshot and the necessary S3 bucket in Account B. This role will be assumed by Account B when exporting the snapshot using the CLI with aws sts assume-role
and aws rds export-db-snapshot
.
The policy in Account A would look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleAccountB",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ROLE_NAME_IN_ACCOUNT_B"
},
{
"Sid": "AllowExportSnapshot",
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots",
"rds:DescribeDBSnapshotAttributes",
"rds:ListTagsForResource",
"rds:CopyDBSnapshot"
],
"Resource": "arn:aws:rds:REGION:ACCOUNT_A_ID:snapshot:SNAPSHOT_ID"
},
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
The policy in Account B then would look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleAccountA",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_A_ID:role/ROLE_NAME_IN_ACCOUNT_A"
},
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
Hope this helps.
beantwortet vor einem Jahr
Relevanter Inhalt
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
- AWS OFFICIALAktualisiert vor 2 Jahren
When i put the policy in Account A, it is giving me an error saying- "Invalid Action: The action rds:ExportDBSnapshot does not exist."
Sorry, my mistake, the correct IAM action should be "rds:CopyDBSnapshot": https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html