1 Answer
- Newest
- Most votes
- Most comments
0
Yes, that is possible. In Account A, create an IAM role with permissions to access the RDS snapshot and the necessary S3 bucket in Account B. This role will be assumed by Account B when exporting the snapshot using the CLI with aws sts assume-role
and aws rds export-db-snapshot
.
The policy in Account A would look something like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleAccountB",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_B_ID:role/ROLE_NAME_IN_ACCOUNT_B"
},
{
"Sid": "AllowExportSnapshot",
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots",
"rds:DescribeDBSnapshotAttributes",
"rds:ListTagsForResource",
"rds:CopyDBSnapshot"
],
"Resource": "arn:aws:rds:REGION:ACCOUNT_A_ID:snapshot:SNAPSHOT_ID"
},
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
The policy in Account B then would look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAssumeRoleAccountA",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT_A_ID:role/ROLE_NAME_IN_ACCOUNT_A"
},
{
"Sid": "AllowS3BucketAccess",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": "arn:aws:s3:::BUCKET_NAME/*"
}
]
}
Hope this helps.
answered a year ago
Relevant content
- asked 2 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 6 months ago
- AWS OFFICIALUpdated 18 days ago
When i put the policy in Account A, it is giving me an error saying- "Invalid Action: The action rds:ExportDBSnapshot does not exist."
Sorry, my mistake, the correct IAM action should be "rds:CopyDBSnapshot": https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonrds.html