1 Resposta
- Mais recentes
- Mais votos
- Mais comentários
0
Yes, that is possible. In Account A, create an IAM role with permissions to access the RDS snapshot and the necessary S3 bucket in Account B. This role will be assumed by Account B when exporting the snapshot using the CLI with aws sts assume-role and aws rds export-db-snapshot.
The policy in Account A would look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleAccountB",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ROLE_NAME_IN_ACCOUNT_B"
},
{
"Sid": "AllowExportSnapshot",
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots",
"rds:DescribeDBSnapshotAttributes",
"rds:ListTagsForResource",
"rds:CopyDBSnapshot"
],
"Resource": "arn:aws:rds:REGION:ACCOUNT_A_ID:snapshot:SNAPSHOT_ID"
},
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
The policy in Account B then would look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleAccountA",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_A_ID:role/ROLE_NAME_IN_ACCOUNT_A"
},
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
Hope this helps.
respondido há um ano
Conteúdo relevante
AWS OFICIALAtualizada há um ano- AWS OFICIALAtualizada há 9 meses
When i put the policy in Account A, it is giving me an error saying- "Invalid Action: The action rds:ExportDBSnapshot does not exist."
Sorry, my mistake, the correct IAM action should be "rds:CopyDBSnapshot": https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html