假设我们有两个AWS帐户:帐户A,帐户B和帐户A上运行的EC2实例。
aws ec2 describe-instances对于实例自己的帐户按预期工作,没有带有实例angular色的~/.aws/credentials文件。
我的目标是从这个实例运行aws ec2 describe-instances到Account-B。
以下命令可用于输出凭据:
$ aws sts assume-role --role-arn arn:aws:iam::012345678901:role/accountb-role --role-session-name test
但是,这并不是:
$ aws ec2 describe-instances --profile AccountB 'aws_access_key_id'
〜/ .aws /configuration
[default] region = us-east-1 [profile AccountB] role_arn = arn:aws:iam::012345678901:role/accountb-role source_profile = default
正如我所提到的, ~/.aws/credentials不存在,因为实例使用IAM的实例angular色。
accountb-role信任关系策略
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "lambda.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::012345678900:role/accounta-role" }, "Action": "sts:AssumeRole" } ] }
实例内联策略
{ "Version": "2012-10-17", "Statement": [ { "Sid": "Stmt1490625590000", "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": [ "arn:aws:iam::012345678901:role/accountb-role" ] } ] }
accounta-role实例angular色和accountb-role都具有附加的股票ReadOnlyAccess IAM策略。
如果任何人仍然对答案感兴趣,则必须保存aws凭证才能在这些调用之间使用AccountB:
aws sts assume-role --role-arn arn:aws:iam::012345678901:role/accountb-role --role-session-name test
<< save aws_access_key_id,aws_secret_access_key,AWS_SESSION_TOKEN here >>
然后你打电话
aws configure --profile AccountB
确保你有他们的设立。 此外,AWS_SESSION_TOKEN可能会在一段时间后失效
aws ec2 describe-instances --profile AccountB
这篇文章详细解释
在您的IAM面板中,还可以授予对跨账户IAM用户的访问权限,这听起来就像您正在寻找的那样。
http://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html