Open JamesPHoughton opened 9 months ago
Created a policy in the "owner account" to allow access only to read the correct bucket. "access-bad-influence-bucket"
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::*"
]
},
{
"Action": [
"s3:ListBucket",
"s3:GetBucketLocation"
],
"Effect": "Allow",
"Resource": "arn:aws:s3:::deliberation-lab-recordings-bad-influence"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject"
],
"Resource": "arn:aws:s3:::deliberation-lab-recordings-bad-influence/*"
}
]
}
Create a role (read-bad-influence-bucket
) that can assume the policy we created, and assign principals for that role to the "collaborator" account. . Add a trust relationship that allows the collaborator account
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:I am::<collaborator AWS Account #>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Note: can probably make the principal account IDs a list Note: at some point also restrict within the account using a role in the account that is locked down?
On the "collaborator" account, created a policy that can access the read-bad-influence-bucket
role from the "owner" account. (lets call it "accessData").
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<owner AWS account #>:role/read-bad-influence-bucket"
}
]
}
Attached the new collaborator policy ("accessData") to the role we wanted to give access (from the collaborator side). As this was just to view them, it was the administrator role. If we wanted to set up a lambda function to access the videos, we would create a role for that lambda and attach this policy.
What we want is called "AWS cross-account roles" https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html In this case, principal probably means the consuming account?
The "External ID" for a federated user is a bit unusual.
When you have federated accounts, the MFA happens at the pennkey account, not at the Amazon level.
Add multiple accounts who can assume the role: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html#Principal_specifying
https://repost.aws/knowledge-center/cross-account-access-s3