我的"AccountA";。该任务需要访问位于另一个aws帐户"中的s3桶;AccountB";。
AccountA中的ECS任务承担一个角色";AccountA_ECSTaskRole";。我创造了一个角色";AccountB_ S3AccessBucketRole;在账户B中允许IAM角色";AccountA_ECSTaskRole";访问AccountB中的S3 bucket。
AccountB_S3AccessBucketRole策略如下:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}
以及承担角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
}
}
]
}
我的任务是一个运行aws s3 cp myfiletocopy s3://ACCOUNTB_BUCKET_NAME/的docker容器。我在任务定义中将taskRoleArn指定为AccountA_ECSTaskRole_ARN。AWS_CONTAINER_CREDENTIALS_RELATIVE_URI环境变量似乎是由我的容器中的ECS代理正确设置的,因为我可以回显它。我仍然得到:调用PutObject操作时发生错误(AccessDenied(:Access Denied
以上步骤运行良好,但我必须再做一些更改才能使其正常工作。
验证S3存储桶是否已启用以执行加密(如果是(,确保提供访问KMS(CMK(操作的权限。
示例:在创建S3 bucket的帐户中:添加对S3 bucket CMK密钥的权限,权限如下。
{
"Sid": "Allow an external account to use the CMK",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::111211111111:role/ecs-task-execution-role", ((if use role))
"arn:aws:iam::111211111111:user/User". ((if use user))
]
},
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "*"
}
在部署ECS的账户中(部署需要访问S3的服务的账户(。
在角色中添加权限:
{
"Sid": "AllowUseOfCMKInS3Account22123222222",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ReEncrypt*",
"kms:GenerateDataKey*",
"kms:DescribeKey"
],
"Resource": "arn:aws:kms:us-east-1:22123222222:key/1234abcd-12ab-34cd-12ef-1234567890de"
}
从这些步骤中,我发现您缺少了"资源";sts:AssumeRole操作的属性。
我通过为ACCOUNTB_bucket_NAME而不是角色设置bucket策略来实现它,如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
},
"Effect": "Allow",
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "AccountA_ECSTaskRole_ARN"
},
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}
并设置AccountA_ECSTaskRole以访问ACCOUNTB_BUCKET_NAME:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::ACCOUNTB_BUCKET_NAME/*"
}
]
}