Trust relationship between a role in global AWS and users/roles in China AWS region

0

Hi,

Consider the following trust relationship for a role in AWS global:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_ID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "SOME-EXTERNAL-ID"
        }
      }
    }
  ]
}

Will it be possible to add an account ID located in one of the AWS China regions? Will it be trusted by the role assigned with the above-mentioned trust policy?

Thanks in advance.

asked 2 years ago2175 views
2 Answers
2

IAM roles and resource-based policies delegate access across accounts within a single partition. AWS Global and AWS China use different partitions. A partition is a group of AWS Regions. Each AWS account is scoped to one partition.

The following are the supported partitions:

  • aws - AWS Regions
  • aws-cn - China Regions
  • aws-us-gov - AWS GovCloud (US) Regions

References:

RoB
answered 2 years ago
0

It doesn't work as AWS Global and AWS China are two separate clouds. You can get more details from below blog.

https://aws.amazon.com/blogs/enterprise-strategy/getting-started-with-aws-services-in-aws-china-beijing-region-and-aws-china-ningxia-region/

You should take note of the following when using AWS services in the Beijing and Ningxia Regions.

  • To use services in the Beijing and Ningxia Regions, you need an account and credentials specific to the Beijing and Ningxia Regions.
  • In Ningxia or Beijing Region, there is no concept of “root” or “account” user or credentials. All users are IAM users, including the user who created the account.
  • The domain for AWS China Regions is www.amazonaws.cn.
  • Beijing Region and Ningxia Region are not connected by AWS backbone to the AWS Global Regions.
  • AWS China Regions names are as follows. Beijing: cn-north-1; Ningxia: cn-northwest-1.
  • The endpoints for services in the Beijing Region and the Ningxia Region are different from other AWS global endpoints. The endpoint domain for both the Beijing and Ningxia Regions is amazonaws.com.cn. Endpoint syntax varies from service to service. For more information, see China (Beijing), China (Ningxia), and the service-specific documentation.
  • In AWS China Regions, the Amazon Resource Name (ARN) syntax includes a cn. For example: arn:aws-cn:iam::123456789012:user/division_abc/subdivision_xyz/Bob.
  • The EC2-Classic platform is not supported.
  • AWS Free Tier is not available in AWS China Regions as now.
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions