如何解决当角色具有可同时在两个帐户KMS密钥上使用的kms策略时,使用Glue pyspark写入另一个帐户S3存储桶的问题
我们正尝试将数据从也启用了s3存储桶kms的帐户(帐户A)写入通过pyspark df.write操作启用了kms的另一个帐户(帐户B)s3存储桶中。 因此,角色已指定了可以同时在两个帐户kms密钥上运行的策略,并且在帐户B存储桶中为帐户A角色分配了适当的权限。 但是在写入数据时,pyspark作业会失败,并出现异常 KMS.NotFoundException ,该异常试图在找不到它的AccountA中找到AccountB的键。
考虑:- 帐户A为112233445566 帐户B为224466881010 AccountBBucket作为accountB_testBucketwithKMS
下面是供参考的cloudformation模板:
帐户A中的角色
"GlueEtlRole": Type: AWS::IAM::Role Properties: RoleName: AccountA_Role AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: sts:AssumeRole Principal: Service: glue.amazonaws.com ManagedPolicyArns: - 'arn:aws:iam::aws:policy/service-role/AWSGlueServiceRole' - 'arn:aws:iam::aws:policy/AmazonS3FullAccess Policies: - PolicyName: AccountBAccessPolicy PolicyDocument: Version: '2012-10-17' Statement: Effect: Allow Action: - s3:ListBucket - s3:GetObject - s3:PutObject - s3:DeleteObject - s3:PutObjectAcl Resource: - !Sub arn:aws:s3:::${AccountBBucket} - PolicyName: RawKmsEncryptionPolicy PolicyDocument: Version: '2012-10-17' Statement: Action: - kms:Encrypt - kms:Decrypt - kms:ReEncrypt - kms:GenerateDataKey - kms:DescribeKey Resource: - arn:aws:kms:us-east-1:112233445566:key/* - arn:aws:kms:us-east-1:224466881010:key/* Effect: Allow
帐户B中的存储桶
"AccountBbucket": Type: 'AWS::S3::Bucket' Properties: BucketName: accountB_testBucketwithKMS PublicAccessBlockConfiguration: BlockPublicAcls: true BlockPublicPolicy: true IgnorePublicAcls: true RestrictPublicBuckets: true BucketEncryption: ServerSideEncryptionConfiguration: - ServerSideEncryptionByDefault: SSEAlgorithm: aws:kms KMSMasterKeyID: !Ref BucketKey "AccountBBucketPolicy": Type: "AWS::S3::BucketPolicy" Properties: Bucket: !Ref AccountBbucket PolicyDocument: Statement: Effect: Allow Principal: AWS: - arn:aws:iam::112233445566:role/AccountA_Role Action: - s3:ListBucket - s3:GetObject - s3:PutObject - s3:DeleteObject Resource: - !Sub arn:aws:s3:::${AccountBbucket} - !Sub arn:aws:s3:::${AccountBbucket}/* "BucketKey": Type: AWS::KMS::Key Properties: Description: Test AWS KMS Key EnableKeyRotation: true PendingWindowInDays: 30 KeyUsage: ENCRYPT_DECRYPT KeyPolicy: Version: '2012-10-17' Statement: - Effect: Allow Action: kms:* Resource: '*' Principal: AWS: - !Sub arn:aws:iam::224466881010:root - !Sub arn:aws:iam::112233445566:root
如果我们身边有任何遗漏,请您提供帮助。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。