2 Risposte
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
1
So your source account is 111 and target 222
The Assume Role in Target 222 does not not look in correct. You need to allow 111 in the trust not 222 because your allowing account 111 to assume this role, so we "Trust" that account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::111:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Also the role in account 222 needs to have the policy Ec2ImageBuilderCrossAccountDistributionAccess attached to the role.
0
Fixed it by creating another KMS key in another region. Then by using Launch Configuration use this KMS key. Role is not needed.
con risposta 7 mesi fa
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 9 mesi fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 7 mesi fa
Yes, I tried, but still I got the same error. I used those steps for account 222:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "imagebuilder.amazonaws.com", "AWS": "arn:aws:iam::111:root" }, "Action": "sts:AssumeRole", "Condition": {} } ] }
Did you attach the policy?
Yes, policy is attached. I think that the problem could be that I need multi region KMS key, as this second account is in different region.
I don’t think you can have a service and AWS principal in the same statement.