文档建议反馈控制台
首页
学习
活动
专区
圈层
工具
MCP广场
文章/答案/技术大牛
发布
社区首页 >问答首页 >拒绝访问CloudFormation交叉帐户s3副本

拒绝访问CloudFormation交叉帐户s3副本
EN

Stack Overflow用户
提问于 2022-03-29 01:59:59
回答 1查看 196关注 0票数 0

我看了好几个小时的文件,不觉得我错过了什么,但我显然是源帐户中有S3对象,我希望将其复制到dest帐户中的S3桶中。这是我的设置(注意,我故意使权限非常松散,一开始只是为了让它正常工作。(计划稍后对其进行范围界定):

由lambda在source_account中使用的Cloudformation创建的角色

代码语言:javascript
复制
CopyRole:
    Properties:
      RoleName: 'CopyRole'
      AssumeRolePolicyDocument:
        Statement:
          - Action: [ 'sts:AssumeRole' ]
            Effect: Allow
            Principal:
              Service: [ lambda.amazonaws.com ]
        Version: '2012-10-17'
      Policies:
        - PolicyDocument:
            Statement:
              - Action: [ 'logs:CreateLogStream', 'logs:PutLogEvents', 'logs:CreateLogGroup' ]
                Effect: Allow
                Resource: '*'
              - Action: [ 's3:*', 'kms:*' ]
                Effect: Allow
                Resource: '*'
              - Action: [ 'sts:AssumeRole' ]
                Effect: Allow
                Resource: '*'
          PolicyName: CopyPolicy
    Type: AWS::IAM::Role

请注意,上面提供了承担任何其他角色的能力。

dest_account DestAccountCopyRole中的IAM角色,它应该从源桶(其他帐户)授予读取权限,并将权限写入目标桶(在同一个帐户中)。

代码语言:javascript
复制
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "s3:GetLifecycleConfiguration",
                "s3:GetBucketTagging",
                "s3:GetInventoryConfiguration",
                "s3:GetObjectVersionTagging",
                "s3:ListBucketVersions",
                "s3:GetBucketLogging",
                "s3:ListBucket",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketPolicy",
                "s3:GetObjectVersionTorrent",
                "s3:GetObjectAcl",
                "s3:GetEncryptionConfiguration",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketRequestPayment",
                "s3:GetObjectVersionAcl",
                "s3:GetObjectTagging",
                "s3:GetMetricsConfiguration",
                "s3:GetBucketPublicAccessBlock",
                "s3:GetBucketPolicyStatus",
                "s3:ListBucketMultipartUploads",
                "s3:GetObjectRetention",
                "s3:GetBucketWebsite",
                "s3:GetBucketVersioning",
                "s3:GetBucketAcl",
                "s3:GetObjectLegalHold",
                "s3:GetBucketNotification",
                "s3:GetReplicationConfiguration",
                "s3:ListMultipartUploadParts",
                "s3:GetObject",
                "s3:GetObjectTorrent",
                "s3:GetBucketCORS",
                "s3:GetAnalyticsConfiguration",
                "s3:GetObjectVersionForReplication",
                "s3:GetBucketLocation",
                "s3:GetObjectVersion"
            ],
            "Resource": [
                "arn:aws:s3:::source_bucket",
                "arn:aws:s3:::source_bucket/*"
            ]
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "s3:GetAccessPoint",
                "s3:GetAccountPublicAccessBlock",
                "s3:ListAllMyBuckets",
                "s3:ListAccessPoints",
                "s3:ListJobs"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectRetention",
                "s3:PutObjectVersionAcl",
                "s3:PutObjectVersionTagging",
                "s3:PutObjectTagging",
                "s3:PutObjectLegalHold",
                "s3:PutObjectAcl"
            ],
            "Resource": "arn:aws:s3:::dest_account_bucket/*"
        }
    ]
}
... trust policy which allows the lambda role to assume this role
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::source_account:root"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

source_account存储桶策略,该策略允许目标帐户中的IAM角色从源桶中读取

代码语言:javascript
复制
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DelegateS3Access",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::dest_account:role/DestAccountCopyRole"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::source_account_bucket",
                "arn:aws:s3:::source_account_bucket/*"
            ]
        }
    ]
}

dest_account桶策略

代码语言:javascript
复制
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::dest_account:root"
            },
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::dest_account_bucket",
                "arn:aws:s3:::dest_account_bucket/*"
            ]
        }
    ]
}

我在javascript上运行的lambda能够绕过承担跨帐户角色的部分,但是当尝试复制数据时,Access Denied失败了。

代码语言:javascript
复制
const creds = await getCredentials(destination_bucket)
                .catch((err) => {
                    console.log(err);
                    throw err;
                });
s3Dest = new aws.S3(creds);

return s3.listObjects(sourcePath).promise()
  .then(async (data) => {
     return Promise.all(data.Contents.map((item) => {
       console.log(`Copying data over`);
       s3Dest.copyObject({
         Bucket: destination_bucket,
         CopySource: copy_source,
         Key: key
       }).promise();
     }));
  }).catch((err) => {
    console.log(`Error: ${err}`);
    throw err;
  });

const getCredentials = async (bucket) => {
    return new Promise((resolve, reject) => {
        const params = {
            RoleArn: "arn:aws:iam::dest_account:role/DestAccountCopyRole",
            RoleSessionName: 'copy-test'
        };
        sts.assumeRole(params, (err, data) => {
            if (err) reject(err);
            else {
                console.log(data);
                resolve({
                    accessKeyId: data.Credentials.AccessKeyId,
                    secretAccessKey: data.Credentials.SecretAccessKey,
                    sessionToken: data.Credentials.SessionToken,
                });
            }
        });
    });
};

我也不认为我对Javascript有足够的了解,因为云监视日志同时打印了Copying data overError: Access Denied,然后失败了(我认为只有当listObjects调用失败时,Error: Access Denied才会出现,但是看起来它可以在复制部分失败)

amazon-iam
javascript
amazon-web-services
amazon-s3
amazon-cloudformation
EN

回答 1

Stack Overflow用户

发布于 2022-03-29 04:25:15

当在属于不同AWS帐户(“交叉帐户副本”)的存储桶之间复制对象时,一组凭据要求从源位置读取和将写入到目标位置都需要权限。

由于您的代码从目标帐户中承担一个IAM角色,您还需要在源桶上创建一个桶策略,该策略授予该IAM角色从源桶读取的权限。

与Lambda函数使用的IAM角色具有访问源桶的权限无关,因为copy() 操作将由从目标帐户承担的IAM角色执行,因此它不会使用分配给Lambda函数的IAM角色的任何权限。

此外,当授予IAM角色写入目标桶的权限时,实际上更好的做法是,通过IAM角色本身的策略,而不是作为桶策略授予该权限。通常,只应在授予公共访问权限或跨帐户访问时使用桶策略,而不应仅授予一个用户权限。

票数 1
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/71655624

复制
相关文章

相似问题

领券

腾讯云开发者

扫码关注腾讯云开发者

扫码关注腾讯云开发者

领取腾讯云代金券

热门产品

热门推荐

更多推荐

Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有 

深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 粤公网安备44030502008569号

腾讯云计算(北京)有限责任公司 京ICP证150476号 |  京ICP备11018762号

问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档