问题描述
我的理解是,
服务控制策略和基于资源的策略主要用于允许/拒绝跨帐户访问资源.
Service control policy and resource based policies are mainly used to allow/deny cross account access to resources.
从此处解释的策略评估过程中,我了解到IAM权限策略(托管或内联)用于在AWS帐户内授予/拒绝Principal
的权限.
From the policy evaluation procedure explained here, I learned that IAM permission policy(managed or inline) is used to grant/deny permissions to Principal
within an AWS account.
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::*:role/Somerole",
"Effect": "Allow"
}
]
}
但是上面是IAM权限策略,用于向源帐户中的Principal
授予权限,以便可以访问(sts::AssumeRole
)其他帐户资源(Somerole
).
But above is the IAM permission policy, written to grant permissions to Principal
in the source account, to have access(sts::AssumeRole
) to other account resources(Somerole
).
是否可以将IAM权限策略定义为允许源AWS帐户中的Principal
获得权限(sts:AssumeRole
)来访问其他帐户(*:role
)中存在的资源(Somerole
)?在我们的情况下,Principal
是源AWS账户中的 IAM角色.
Can IAM permission policy be defined to allow Principal
in source AWS account get permissions(sts:AssumeRole
) to access resources(Somerole
) that are present in other accounts(*:role
)? In our case Principal
is an IAM role in the source AWS account.
推荐答案
另一个帐户需要已授予对该帐户的访问权限.另一个帐户中的角色将需要与此类似的信任关系(通常还会为其添加条件):
The other account would need to have granted access to the account. The role in the other account would need a trust relationship similar to this (often it has conditions added to it as well):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AccountId_A>:root"
},
"Action": "sts:AssumeRole"
}
]
}
此示例假定您是在其中授予IAM权限的帐户.
This example assumes that is the account you are granting the IAM permission in.
这篇关于IAM权限策略可以用于允许访问跨帐户资源吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!