我正在尝试将账户 B 中的 Glue 中的虚拟文件放入账户 A 中的 S3 存储桶。S3 存储桶(test-bucket)正在启用 AWS-KMS 加密并启用 aws/s3 托管密钥。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Deny PutObject if NOT using correct KMS Encryption Key",
"Effect": "Deny",
"Principal": "*",
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringNotEquals": {
"s3:x-amz-server-side-encryption": "",
"s3:x-amz-server-side-encryption-aws-kms-key-id": "<ARN_KMS_ACCOUNT_A>"
}
}
},
{
"Sid": "Allow Glue Role in Application account to put objects in the S3 bucket",
"Effect": "Allow",
"Principal": {
"AWS": "<IAM_Glue_Role_ARN>"
},
"Action": [
"s3:AbortMultipartUpload",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:ListBucketMultipartUploads",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::test-bucket",
"arn:aws:s3:::test-bucket/*"
]
},
{
"Sid": "Only allow writes to my bucket with bucket owner full control",
"Effect": "Allow",
"Principal": {
"AWS": "<IAM_Glue_Role_ARN>"
},
"Action": "s3:PutObject",
"Resource": "arn:aws:s3:::test-bucket/*",
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*"
],
"Resource": "arn:aws:s3:::test-bucket*",
"Effect": "Allow"
},
{
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey"
],
"Resource": "<ARN_KMS_ACCOUNT_A>",
"Effect": "Allow"
}
]
}
这是我的胶水代码:
s3.put_object(
Bucket='output',
Key='_SUCCESS',
ServerSideEncryption='aws:kms',
SSEKMSKeyId='<ARN_KMS_ACCOUNT_A>'
)
从帐户 B Glue 运行此代码时出现以下错误:
ClientError: An error occurred (KMS.NotFoundException) when calling the PutObject operation: Invalid arn ap-southeast-2
对此有什么想法吗?
有几件事:
Deny
权限应始终位于所有 Allow
权限之后。并删除 condition
权限上的 Deny
。您想要阻止所有未经授权的流量。kms:decrypt
给该密钥策略上的粘合角色。如此处所述,您必须使用加密密钥的完整 ARN,这样跨账户才能成功。使用别名或密钥 ID 不起作用。
S3 存储桶应该看起来像这样
AWS 托管密钥
aws/s3
只能在同一帐户中使用,即密钥存在的位置(在您的情况下,其帐户 A)。您可以尝试使用账户 B 中的 aws/s3
CMK,或者在账户 A 中创建客户管理的 CMK 并按照此处的步骤与账户 B 共享。