我有两个AWS账户(A和B)。 在我的帐户A上,我有一个需要访问帐户B资源的lambda功能。准确地说,我的帐户A上的lambda需要更新帐户B上托管的Route53区域中的记录。
与S3相反,我在Route53中看不到任何资源访问策略。 所以我有点失落。 我试图玩IAM跨账户角色,但似乎并不适用于lambda。
我如何允许帐户A上的lambda函数访问我的帐户B的资源?
I have two AWS account (A and B). On my account A, I have a lambda function which need to access to resources of account B. Precisely, my lambda on my account A, need to update a record in a Route53 zone hosted on my account B.
Contrary to S3, I don't see any resource access policy in Route53. So I'm a bit lost. I tried to play with IAM cross account roles, but that does not seems to work with lambda.
How can I allow a lambda function on an account A to access resources of my account B?
最满意答案
您可以在帐户B中创建一个角色,并允许您的用户(帐户A)承担它。
在您的AWS Lambda函数中使用的账户A中创建一个角色 。 在帐户B中创建角色类型为跨账户访问的角色 。 在帐户B中分配所需的权限以使用路由53.还要为帐户A中的角色添加权限以调用此角色的AssumeRole 。 帐户A中的Lambda函数然后可以对帐户B中的角色调用AssumeRole 。这将返回一组临时凭证 ,可用于访问帐户B中的Route 53。看到:
教程:使用IAM角色委派跨AWS账户的访问 创建角色以将权限委派给IAM用户以下是教程中的图片:
You can create a Role in account B and permit your User (in account A) to assume it.
Create a Role in account A that will be used by your AWS Lambda function. Create a Role in account B with a role type of Role for Cross-Account Access. Assign the desired permissions to use Route 53 in account B. Also add permissions for the Role in account A to call AssumeRole on this role. The Lambda function in account A can then call AssumeRole on the role in account B. This will return a set of temporary credentials that can be used to access Route 53 in account B.See:
Tutorial: Delegate Access Across AWS Accounts Using IAM Roles Creating a Role to Delegate Permissions to an IAM UserHere's a picture from the Tutorial:
更多推荐
发布评论