My company has an organization set up in AWS (CompanyA as example). Each team has an account joined to this organization (HR, ProductA, ProductB, ect..). We in ProductA are attempting to grant read-only access to an S3 bucket which serves as a yum repository we own to anyone under this organization from their ec2 instance without auth (yum commands works out of box)
Some items we evaluated: https://github.com/rmela/yum-s3-plugin -> This would go along with user principal access, users would need to add their keys to pull from the repo
http://parthicloud.com/how-to-access-s3-bucket-from-application-on-amazon-ec2-without-access-credentials/ -> Great tutorial for inside your own account, ec2 instances need to be brought up with a IAM policy to allow access to bucket.
Add a condition to the bucket policy listing your AWS Organization, and allow all principals access. See AWS Global Condition Context Keys, search for aws:PrincipalOrgID
. "When you add and remove accounts, policies that include aws:PrincipalOrgID
automatically include the correct accounts and don't require manual updating."
The Action
and Resource
sections in the example below should be the same as for your current policy that lists all the AWS accounts in your organization.
{
"Version": "2012-10-17",
"Statement": {
"Sid": "AllowOrganizationToReadYumBucket",
"Effect": "Allow",
"Principal": "*",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::your-yum-bucket",
"arn:aws:s3:::your-yum-bucket/*"
],
"Condition": {
"StringEquals": {"aws:PrincipalOrgID":["o-xxxxxxxxxxx"]}
}
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With