我在cognito/identity用户池的身份验证角色中使用${cognito-identity.amazonaws.com:sub}占位符,以便为cognito用户提供对其资源的细粒度访问。如这里所描述的,如果资源与IAM角色在同一个帐户中,则此操作非常有效。
现在我想做同样的事情,但资源在另一个帐户。例如,我将如何做以下事情?:
- "userX"从userpool在accountA中可以访问名为"userx"的logGroup;在accountB
因此,显然它适用于s3Buckets,例如,但您还需要给AccountB中提到的s3 bucket一个资源策略,该策略允许来自AccountA的所有用户访问该bucket。例如,使用terraform(顺便说一句,这是为了使amplify的上传功能与amplify项目的不同AWS账户中的桶一起工作):
resource "aws_iam_role" "authenticated_role" {
name = "${local.identity_pool_name}-authenticated-user"
assume_role_policy = data.aws_iam_policy_document.authenticated_role_document.json
tags = var.tags
inline_policy {
name = "authenticated_role_policy"
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
"Action": [
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::${var.accountBBucket}/public/*",
"arn:aws:s3:::${var.accountBBucket}/protected/$${cognito-identity.amazonaws.com:sub}/*",
"arn:aws:s3:::${var.accountBBucket}/private/$${cognito-identity.amazonaws.com:sub}/*"
],
"Effect": "Allow"
},
...
]
})
}
}
resource "aws_s3_bucket_policy" "shared_customer_artefacts_pol" {
provider = aws.accountB
bucket = aws_s3_bucket.shared_customer_artefacts.id
policy = jsonencode({
Version = "2012-10-17"
Statement = [
{
Sid = "1"
Effect = "Allow"
Principal = {
AWS = "arn:aws:iam::${var.accountAId}:root"
}
Action = [
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
]
Resource = [
"arn:aws:s3:::${var.var.accountBBucket}",
"arn:aws:s3:::${var.var.accountBBucket}/*",
]
}
]
})
}