Cross account S3 access through CloudFormation CLi

Question

I am trying to create a CloudFormation Stack using the AWS CLI by running the following command:

aws cloudformation create-stack --debug --stack-name ${stackName} --template-url ${s3TemplatePath} --parameters '${parameters}' --region eu-west-1

The template resides in an S3 bucket in the another account, lets call this account 456. The bucket policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Example permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::123:root"
                ]
            },
            "Action": [
                "s3:*"
            ],
            "Resource": "arn:aws:s3:::cloudformation.template.eberry.digital/*"
        }
    ]
}

("Action: * " is for debugging).

Now for a twist. I am logged into account 456 and I run

aws sts assume-role --role-arn arn:aws:iam::123:role/delegate-access-to-infrastructure-account-role --role-session-name jenkins

and the set the correct environment variables to access 123. The policy attached to the role that I assume allow the user Administrator access while I debug - which still doesn't work.

aws s3api list-buckets

then display the buckets in account 123.

To summarize:

• Specifying a template in an S3 bucket owned by account 456, into CloufFormation in the console, while logged into account 123 works.
• Specifying a template in an S3 bucket owned by account 123, using the CLI, works.
• 指定由帐户拥有的S3存储模板456，使用CLI，不能正常工作。

错误：

调用CreateStack操作时发生错误（ValidationError）：S3错误：拒绝访问有关更多信息，请检查http://docs.aws.amazon.com/AmazonS3/latest/API/ErrorResponses.html

我不明白我的任何想法做错了，会被感激。在此期间，我会上传模板将使用它的所有帐户。

Answer 1

Amazon S3通过使用存储桶策略提供跨账户访问。这些是IAM资源策略（适用于资源（在本例中为S3存储桶），而不是IAM主体：用户，组或角色）。您可以在Amazon S3开发人员指南中阅读有关Amazon S3如何授权访问的更多信息。

我很困惑一点关于该帐户是哪个，所以不是我只想说，当你想部署一个AWS拥有的水桶一个模板，你需要这个水桶政策帐户的堆栈不同的 AWS帐户。例如，模板位于AWS账户拥有的存储桶中111111111111，您想使用该模板在AWS账户中部署堆栈222222222222。在这种情况下，您需要登录到帐户，222222222222并将该帐户指定为存储桶策略中的主体。

以下是提供对另一个AWS帐户的访问权的示例存储桶策略；我在自己的CloudFormation模板存储桶上使用它。

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::AWS_ACCOUNT_ID_WITHOUT_HYPHENS:root"
      },
      "Action": [
        "s3:GetBucketLocation",
        "s3:GetObject",
        "s3:GetObjectTagging",
        "s3:ListBucket"
      ],
      "Resource": [
        "arn:aws:s3:::S3_BUCKET_NAME",
        "arn:aws:s3:::S3_BUCKET_NAME/*"
      ]
    }
  ]
}

您需要为要提供访问权限的AWS帐户使用12位数字的帐户标识符，以及S3存储桶的名称（您可能可以使用"Resource": "*"，但我尚未对此进行测试）。