我正在两个AWS账户之间建立一个跨账户,我希望账户B能够将文件/日志推送到账户A。我有一个用<位于帐户A中的strong> KMS加密。
帐户A 中的存储桶具有附加的策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::00000000:role/some-role-in-account-B"
},
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3::some-bucket-in-account-A",
"arn:aws:s3:::some-bucket-in-account-A/*"
]
}
]
}
在帐户B 中,我创建了一个角色(帐户中的角色角色B),并附加了以下政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::some-bucket-in-account-A",
"arn:aws:s3:::some-bucket-in-account-A/*"
]
}
]
}
我在帐户B中有一个实例,我在其中附加了 in-role-in-account-B 角色。
从实例中运行它们:aws s3 ls s3://some-bucket-in-account-A
运行正常。但是,aws s3 cp some-random-file s3://some-bucket-in-account-A
失败,并显示错误:An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
。有人知道我可能会缺少什么吗?
答案 0 :(得分:1)
您需要授予帐户B中的角色对KMS密钥的访问权限。有关更多信息,请参见此处:https://aws.amazon.com/premiumsupport/knowledge-center/cross-account-access-denied-error-s3/
请介意,我认为您不需要授予该角色中本文引用的所有权限,您只需要授予以下权限: