通过CloudFormation脚本触发时,Lambda无法承担跨帐户角色。
我有一个CloudFormation脚本,该脚本可以在帐户A中创建并触发Lambda函数。该函数需要从帐户B复制对象。我正在使用基于角色的跨帐户访问权限。
在帐户B上,我担任以下角色: 出于测试目的,我正在使用S3完全访问权限。
CrossAccountAccessRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: 'CrossAccountAccessRole'
Path: '/'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: !Sub 'arn:aws:iam::<AccountA>:role/CustomerCrossAccountAccessRole'
Action: sts:AssumeRole
CrossAccountAccessPolicy:
Type: "AWS::IAM::ManagedPolicy"
Properties:
Path: '/'
ManagedPolicyName: CrossAccountAccessPolicy
Roles:
- !Ref CrossAccountAccessRole
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- s3:*
在帐户A上,我担任以下角色,包括lambda执行,S3完全访问权限和假定的角色策略。
CustomerCrossAccountAccessRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: CustomerCrossAccountAccessRole
AssumeRolePolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Principal:
Service: lambda.amazonaws.com
Action: sts:AssumeRole
Path: /
Policies:
- PolicyName: LambdaBasicExecutionPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
- Effect: Allow
Action:
- 'logs:CreateLogGroup'
- 'logs:CreateLogStream'
- 'logs:PutLogEvents'
Resource: '*'
- PolicyName: LambdaSourceBucketPolicy
PolicyDocument:
Version: 2012-10-17
Statement:
Effect: Allow
Action: 's3:*'
Resource: '*'
- PolicyName: LambdaAssumeRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: sts:AssumeRole
Resource: !Sub 'arn:aws:iam::<AccountA>:role/CrossAccountAccessRole'
我在lambda函数中运行此python脚本,
try:
print('Assume role of a cross account access role')
boto_sts_client=boto3.client('sts', region_name='ap-southeast-2')
stsresponse = boto_sts_client.assume_role(
RoleSessionName = 'CrossAccountAccessSession',
RoleArn = 'arn:aws:iam::<AccountA>:role/CrossAccountAccessRole',
DurationSeconds = 3000
)
s3_assumed_client = boto3.client(
's3',
region_name='ap-southeast-2',
aws_access_key_id = stsresponse["Credentials"]["AccessKeyId"],
aws_secret_access_key = stsresponse["Credentials"]["SecretAccessKey"],
aws_session_token = stsresponse["Credentials"]["SessionToken"]
)
s3_assumed_client.download_file(<BucketName>, <FilePath>,<FileName>)
except:
traceback.print_exc()
CloudFormation脚本返回以下错误,
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
但是,如果我在测试模式下运行相同的Lambda(使用CloudFormation脚本创建)(使用AWS控制台上的“测试”按钮),它将下载文件而不会出现任何错误。
谢谢
答案 0 :(得分:1)
您的政策包含以下错误:
CrossAccountAccessRole:
Type: 'AWS::IAM::Role'
Properties:
RoleName: 'CrossAccountAccessRole'
Path: '/'
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS: 'arn:aws:iam::<AccountA>:root'
...
- PolicyName: LambdaAssumeRolePolicy
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action: sts:AssumeRole
Resource: 'arn:aws:iam::<AccountB>:role/CrossAccountAccessRole'
stsresponse = boto_sts_client.assume_role(
RoleSessionName = 'CrossAccountAccessSession',
RoleArn = 'arn:aws:iam::<Account-B>:role/CrossAccountAccessRole',
DurationSeconds = 3000
)
您在几个实际应该是帐户B的地方(ARN)中写了帐户A,但我想这些是错别字。
答案 1 :(得分:0)
您无需为此管理跨帐户角色。您只需在目标存储桶的策略内允许帐户A进行访问即可。附加您的lambda角色的权限,您就可以直接访问存储桶,而无需承担任何角色。转到您的S3存储桶,转到“权限”标签,然后单击“存储桶策略”。您的政策如下,
{
"Version": "2008-10-17",
"Statement": [
{
"Sid": "DelegateReadToAccountA",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account-A>:root"
]
},
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": [
"arn:aws:s3:::<bucket_name>",
"arn:aws:s3:::<bucket_name>/*"
]
}
]
}