java AWS帐户A lambda试图触发B帐户的ecs运行任务
lambda函数中的代码-
String arn = "arn:aws:ecs:eu-west-1:accountId(B-account):task-definition/task-defn-name";
String cluster="arn:aws:ecs:eu-west-1:accountId(B-account):cluster/cluster name";
RunTaskRequest request = new RunTaskRequest().withLaunchType(LaunchType.EC2).withCluster(cluster).withTaskDefinition(arn);
final STSAssumeRoleSessionCredentialsProvider cross_acct_lambda = new STSAssumeRoleSessionCredentialsProvider.Builder("AccountB-Role", "cross_acct_lambda").build();
RunTaskResult response = AmazonECSClientBuilder.standard().withCredentials(cross_acct_lambda).build().runTask(request);
我使用默认凭据提供程序而不是STSAssumeRoleSessionCredentialsProvider,这样做有效
帐户B角色中的权限策略
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:Describe*",
"ecs:List*"
],
"Resource": [
"*"
]
}
B账户中角色的信任关系
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs-tasks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountId-Aaccount:role/ecsLambdaRole"
},
"Action": "sts:AssumeRole"
}
]
}
A-帐户角色
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::AccountId-Baccount:role/role name"
}
}
# 1 楼答案
遗憾的是,您无法在尝试时直接执行此操作
通常,通过cross-account roles启用跨帐户操作
为了在您的用例中工作,您必须执行以下操作:
在AccB中设置一个可分配的角色。该角色将具有具有启动其ecs任务权限的策略。信任关系将允许AccA承担该角色
AccA中的lambda执行角色将具有从AccB承担该角色的权限(即^{)
lambda将使用STS服务显式地承担角色。对STS的调用将返回临时IAM凭据。凭证允许您在lambda函数中创建会话,以触发AccB中的ECS任务
下面的AWS博客文章解释了如何从AccB在lambda中扮演角色: