我有两个 AWS 帐户,第一个是生产帐户,其中列出了所有托管区域,另一个是我要从中列出、更改记录集的培训帐户。
到目前为止我已采取以下步骤来解决此问题。
在生产账户中创建跨账户 IAM 角色
{ "版本": "2012-10-17", “陈述”: [{ "Effect": "允许", “主要的”: { "AWS": "arn:aws:iam::training:root" },
"Action": "sts:AssumeRole",
"Condition": {}
}
] }
附加 Route53 IAM 政策
{ "版本": "2012-10-17", “陈述”: [ { "Effect": "允许", “行动”: [ "route53:ChangeResourceRecordSets" ], “资源”:[ "arn:aws:route53:::hostedzone/" ] }, { "Effect": "允许", “行动”: [ "route53:ListHostedZones", “route53:ListResourceRecordSets” ], “资源”:[ “” ] } ] }
按照本教程在训练帐户中假设策略
https://docs.aws.amazon.com/eks/latest/userguide/create-service-account-iam-policy-and-role.html
承担角色的 IAM 政策
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"route53:*"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::prod:role/AllowExternalDNSUpdateEks"
},
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:GetSessionToken",
"sts:DecodeAuthorizationMessage",
"sts:GetAccessKeyInfo",
"sts:GetCallerIdentity",
"sts:GetServiceBearerToken"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:*",
"Resource": [
"arn:aws:iam::prod:role/AllowExternalDNSUpdateEks",
"arn:aws:iam::training:user/*"
]
}
]
}
通过执行上述步骤,我仍然无法列出托管区域或更改记录集