我想知道是否有办法从另一个帐户的s3访问jar文件和输入和输出位置.我在帐户1上运行了我的EMR集群.我想从帐户2的s3访问文件和jar位置.我正在使用AWS SDK启动AWS Simple工作流程.谢谢. 最佳答案 您需要为跨帐户访问创建角色:
http://docs.aws.amazon.com/IAM/latest/UserGuide/delegation-cross-acct-access.html
您可以使用IAM角色建立跨帐户访问权限.您可以在帐户2中定义一个角色,该角色可以由帐户1中的用户(IAM用户或联合用户)承担.使用角色进行跨帐户访问可以授予对帐户2中任何资源的访问权限(在您的情况下,它是S3)
编辑:
首先需要创建一个具有对帐户2中S3的读写访问权限的角色(让我们将其命名为“S3-ReadWrite-role”),并允许来自帐户1的用户使用角色“S3-ReadWrite-role”
检查此链接,它将向您解释如何执行此操作:
http://blogs.aws.amazon.com/security/post/TxC24FI9IDXTY1/Delegating-API-Access-to-AWS-Services-Using-IAM-span-class-matches-Roles-span
完成第一步后,您可以使用此代码(未测试):
使用您的凭据,您将收到临时安全凭证以使用“S3-ReadWrite-role”,然后您将使用临时安全凭证来访问S3;)
import java.util.HashMap;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.dynamodb.AmazonDynamoDBClient;
import com.amazonaws.services.dynamodb.model.*;
import com.amazonaws.auth.*;
public class AssumeRoleDemo {
private static final String ROLE_ARN =
"arn:aws:iam::111122223333:role/S3-ReadWrite-role";
private static AWSCredentials longTermCredentials_;
private static void init() throws Exception {
// acquire long term credentials from the properties file ( you should use this method)
//longTermCredentials_ = new PropertiesCredentials(AssumeRoleDemo.class.getResourceAsStream("AwsCredentials.properties"));
// or you can use this one
longTermCredentials = new BasicAWSCredentials(access_key_id, secret_access_key);
}
public static void main(String[] args) throws Exception {
init();
// Step 1. Use Joe.s long-term credentials to call the
// AWS Security Token Service (STS) AssumeRole API, specifying
// the ARN for the role S3-RW-role in account2.
AWSSecurityTokenServiceClient stsClient = new
AWSSecurityTokenServiceClient(longTermCredentials_);
AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
.withRoleArn(ROLE_ARN)
.withDurationSeconds(3600)
.withRoleSessionName("demo");
AssumeRoleResult assumeResult =
stsClient.assumeRole(assumeRequest);
// Step 2. AssumeRole returns temporary security credentials for
// the IAM role.
BasicSessionCredentials temporaryCredentials =
new BasicSessionCredentials(
assumeResult.getCredentials().getAccessKeyId(),
assumeResult.getCredentials().getSecretAccessKey(),
assumeResult.getCredentials().getSessionToken());
// Step 3. Make S3 service calls to read data from a
// S3, stored in account2, using the
// temporary security credentials from the S3-ReadWrite-role
// that were returned in the previous step.
AmazonS3 s3Client = new AmazonS3Client(temporaryCredentials);
S3Object object = s3Client.getObject(
new GetObjectRequest(bucketName, key));
InputStream objectData = object.getObjectContent();
// Process the objectData stream.
objectData.close();
}
}