- 最新
- 投票最多
- 评论最多
Hello.
Does this mean that I can access S3 in the prod account but not in the root account?
In that case, I thought that the problem could be solved by attaching an IAM policy for operating S3 to the IAM user of the root account.
In other words, I thought it was necessary to use the following policy to allow not only "AssumeRole" but also S3 operations within my account.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [ "sts:AssumeRole" ],
"Resource": [ "arn:aws:iam::<prod_account_id>:role/BrighthubS3FullAccessRole" ]
},
{
"Effect": "Allow",
"Action": [ "s3:*" ],
"Resource": ["*"]
}
]
}
Remember that for the cross account you have to setup a bucket policy to allow access from the other account. If not it will not work, it's impossible, if other way you would be able to access any bucket in the world.
Hope this helps.
Best
Thank you for your response. Here the user in the root account isn't able to access a bucket in the root account after giving them access to S3 in the prod account through a role.
This is exactly how it has been set up. In this example, the bucket policy has been added for an admin user in a third account to be able to upload objects. The setup between Account A and C is exactly what we have done for the root and prod accounts. The user is unable to access buckets in the root account, with the role they can access the prod account. How do I allow them to access S3 in both the root account and the prod account?
相关内容
- AWS 官方已更新 3 年前
Thank you for your response. I had tried this too. We have a Group in the root account to grant full s3 access to IAM Users in the root account. So along with adding the user to the group that grants access to the Prod S3, we also add the user to this group. But the user still got the same error.
With the AWS CLI, you can set the profile and Assume Role as shown below. As a result, in my environment, I can now operate the S3 buckets of Account A and Account B. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-cli.html
Thank you so much again! According to this link,
The permissions of your IAM user and any roles that you assume are not cumulative. Only one set of permissions is active at a time. When you assume a role, you temporarily give up your previous user or role permissions and work with the permissions that are assigned to the role. When you exit the role, your user permissions are automatically restored.
So, why isn't the user able to access a bucket in the root account with their access keys in the root account after the role has been attached? Apologies, I am just trying to understand this better.
Is access being denied due to the S3 bucket's bucket policy? Also, can I access the same S3 if I am a regular IAM user without cross-account setup? Make sure you have attached not only the "AssumeRole" but also the policy used to access S3.
Thank you for your response. There is no Bucket policy set up in any bucket in the prod or root account. The user is able to access the bucket in the root account if the cross account access role is removed. The moment that role is added, they can no longer access anything in the root account. I have also tried attaching the S3 policy as shown above in your answer, it still gives an Access denied error.