【以下的问题经过翻译处理】 当我直接登录源账户时,我可以访问目标账户的S3:
[cloudshell-user@ip-10-0-91-7 ~]$ aws sts get-caller-identity
{
"UserId": "AIDAxxxxxxxxJBLJ34",
"Account": "178xxxxxx057",
"Arn": "arn:aws:iam::178xxxxxx057:user/adminCustomer"
}
[cloudshell-user@ip-10-0-91-7 ~]$ aws s3 ls s3://target-account-bucket
2022-03-10 01:28:05 432 foobar.txx
但是,如果我在那个账户中扮演一个角色后再进行访问,我就无法访问目标账户了:
[cloudshell-user@ip-10-1-12-136 ~]$ aws sts get-caller-identity
{
"UserId": "AROAxxxxxxF5HI7BI:test",
"Account": "178xxxxxx057",
"Arn": "arn:aws:sts::178xxxxxx4057:assumed-role/ReadAnalysis/test"
}
[cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://targer-account-bucket
发生了一个错误(AccessDenied),当调用ListObjectsV2操作时:访问被拒绝
[cloudshell-user@ip-10-1-12-136 ~]$
但是,我可以访问源账户中的存储桶:
[cloudshell-user@ip-10-1-12-136 ~]$ aws s3 ls s3://origin-account
2022-03-09 21:19:36 432 cli_script.txt
目标账户的策略如下:
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::178xxxxxx057:root"
},
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::targer-account-bucket/*",
"arn:aws:s3:::targer-account-bucket"
]
},
没有任何明确的拒绝