1 Risposta
- Più recenti
- Maggior numero di voti
- Maggior numero di commenti
0
Yes, that is possible. In Account A, create an IAM role with permissions to access the RDS snapshot and the necessary S3 bucket in Account B. This role will be assumed by Account B when exporting the snapshot using the CLI with aws sts assume-role
and aws rds export-db-snapshot
.
The policy in Account A would look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleAccountB",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ROLE_NAME_IN_ACCOUNT_B"
},
{
"Sid": "AllowExportSnapshot",
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots",
"rds:DescribeDBSnapshotAttributes",
"rds:ListTagsForResource",
"rds:CopyDBSnapshot"
],
"Resource": "arn:aws:rds:REGION:ACCOUNT_A_ID:snapshot:SNAPSHOT_ID"
},
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
The policy in Account B then would look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleAccountA",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_A_ID:role/ROLE_NAME_IN_ACCOUNT_A"
},
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
Hope this helps.
con risposta un anno fa
Contenuto pertinente
- AWS UFFICIALEAggiornata un anno fa
- AWS UFFICIALEAggiornata 2 anni fa
- AWS UFFICIALEAggiornata 4 mesi fa
When i put the policy in Account A, it is giving me an error saying- "Invalid Action: The action rds:ExportDBSnapshot does not exist."
Sorry, my mistake, the correct IAM action should be "rds:CopyDBSnapshot": https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html