aws使用外部 ID对其他账号授权

  1. 点击前往授权,进入控制台

https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3FhashArgs%3D%2523%26isauthcode%3Dtrue%26state%3DhashArgsFromTB_eu-north-1_f2d9c316b93c0026&client_id=arn%3Aaws%3Asignin%3A%3A%3Aconsole%2Fcanvas&forceMobileApp=0&code_challenge=N4VDaEVnh2s2dWnL79Hzyqja2aWFGDoE1FbHXWk6G1M&code_challenge_method=SHA-256

  1. 选择IAM授权
    2.1 左边栏选择角色,创建角色
    aws使用外部 ID对其他账号授权_第1张图片
    2.2 选择自定义信任策略
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws-cn:iam::<被授权的账号ID>:user/<用户名>"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "<外部ID>"
                }
            }
        }
    ]
}

aws使用外部 ID对其他账号授权_第2张图片
2.3 点击下一步,进入创建策略
aws使用外部 ID对其他账号授权_第3张图片
2.4 指定权限

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:ListBucket"
            ],
            "Resource": "arn:aws-cn:s3:::bucket-test-0529/*"   //只针对特定bucket授权
            "Resource": "arn:aws-cn:s3:::*"                    //所有bucket授权
        }
    ]
}

aws使用外部 ID对其他账号授权_第4张图片
2.5 保存权限
aws使用外部 ID对其他账号授权_第5张图片
2.6 选中权限
回到创建角色界面,点击刷新后,出现我们上一步创建的权限
aws使用外部 ID对其他账号授权_第6张图片
2.7 填写角色名,点击创建角色,完成授权
aws使用外部 ID对其他账号授权_第7张图片

  1. 被授权ID需要权限
    aws使用外部 ID对其他账号授权_第8张图片
    aws使用外部 ID对其他账号授权_第9张图片
  2. 被授权账号生成ak,sk
package main

import (
	"fmt"

	"github.com/aws/aws-sdk-go/aws"
	"github.com/aws/aws-sdk-go/aws/awserr"
	"github.com/aws/aws-sdk-go/aws/credentials"
	"github.com/aws/aws-sdk-go/aws/session"
	"github.com/aws/aws-sdk-go/service/sts"
)

// Uploads a file to S3 given a bucket and object key. Also takes a duration
// value to terminate the update if it doesn't complete within that time.
//
// The AWS Region needs to be provided in the AWS shared config or on the
// environment variable as `AWS_REGION`. Credentials also must be provided
// Will default to shared config file, but can load from environment if provided.
//
// Usage:
//
//	# Upload myfile.txt to myBucket/myKey. Must complete within 10 minutes or will fail
//	go run withContext.go -b mybucket -k myKey -d 10m < myfile.txt

func main() {
	region := "cn-northwest-1"
	endpoint := ""
	ak := "**"                     //被授权账号
	sk := "**" //被授权账号
	externalId := "dfsafsf"
	cfgs := &aws.Config{
		Region:      &region,
		Endpoint:    &endpoint,
		Credentials: credentials.NewStaticCredentials(ak, sk, ""),
	}
	sess := session.Must(session.NewSession(cfgs))

	svc := sts.New(sess)
	input := &sts.AssumeRoleInput{
		ExternalId:      aws.String(externalId),
		RoleArn:         aws.String("arn:aws-cn:iam::<授权账号>:role/<角色名字>"),
		RoleSessionName: aws.String("new_session"),
	}

	result, err := svc.AssumeRole(input)
	if err != nil {
		if aerr, ok := err.(awserr.Error); ok {
			switch aerr.Code() {
			case sts.ErrCodeMalformedPolicyDocumentException:
				fmt.Println(sts.ErrCodeMalformedPolicyDocumentException, aerr.Error())
			case sts.ErrCodePackedPolicyTooLargeException:
				fmt.Println(sts.ErrCodePackedPolicyTooLargeException, aerr.Error())
			case sts.ErrCodeRegionDisabledException:
				fmt.Println(sts.ErrCodeRegionDisabledException, aerr.Error())
			case sts.ErrCodeExpiredTokenException:
				fmt.Println(sts.ErrCodeExpiredTokenException, aerr.Error())
			default:
				fmt.Printf("aerr other %s  err %s\n", aerr.Code(), err.Error())
			}
		} else {
			// Print the error, cast err to awserr.Error to get the Code and
			// Message from an error.
			fmt.Printf("other err %s\n", err.Error())
		}
		return
	}

	fmt.Println(result)
}

你可能感兴趣的:(存储,aws,外部ID,授权)