2개 답변
- 최신
- 최다 투표
- 가장 많은 댓글
2
Hello, This is a cross account case.
Please check those things in below.
- Check your IAM role permission in A account. If you want to upload a file to S3 bucket in account B, your IAM Role must be granted. This is a permission sample.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::${YOUR-BUCKET-NAME}"
]
}
]
}
- Check your S3 Bucket permission in B account. In cross-account case, you must grant permissions for user in A account. This is a permission sample.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Example permissions",
"Effect": "Allow",
"Principal": {
"AWS": "${YOUR-IAM-ROLE-ARN}"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::${YOUR-BUCKET-NAME}/*"
}
]
}
- Here is a CLI command for object upload test.
aws s3api put-object --bucket ${YOUR-BUCKET-NAME} --key {OBJECT-TO-UPLOAD}
In cross account case, you can't see a target bucket name in AWS Management Console. So, when you upload a file to S3 bucket, you should use cli or another programmatic method.
If you need more details, please read this reading materials.
Good Luck!
답변함 일 년 전
1
You must create in Account A an Account role for account B with a policy that allows S3 access.Then you must Allow account B to assume this role :
Account A:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"other s3 actions..."
],
"Resource": [
"arn:aws:s3:::your-bucket-name/*",
"arn:aws:s3:::your-bucket-name"
]
}
]
}
From Account B you must asume the previously created role:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxx:role/ARN-of-Previous-Role"
}
]
}
Check this resource for a complete step-by-step explanation.
답변함 일 년 전
