S3 Access Grantsとは
公式には以下のような記載があります。
Active Directory などのディレクトリや AWS Identity and Access Management (IAM) プリンシパルのアイデンティティを S3 のデータセットにマッピングします。これにより、社内のアイデンティティに基づいてエンドユーザーに S3 のアクセス権を自動的に付与することで、データのアクセス許可を大規模に管理できます。また、S3 Access Grants では、S3 のデータにアクセスするために使用されたエンドユーザーのアイデンティティとアプリケーションを AWS CloudTrail のログに記録します。これにより、S3 バケットのデータへのすべてのアクセスについて、エンドユーザーのアイデンティティなどの詳細な監査履歴を手に入れることができます。
(省略)
Amazon S3 Access Grants は、AWS IAM アイデンティティセンターが提供されているすべての AWS リージョンでご利用いただけます。
AWS IAM Identity Centerとは
以前、AWS SSOで提供されていたサービスが名称変更に伴い、
AWS IAM Identity Centerとなっています。
とりあえずやってみよう
AWS IAM Identity Centerがあるリージョンでしか利用できないです
[1] S3 Access Grants and corporate directory identities -
https://docs.aws.amazon.com/ja_jp/AmazonS3/latest/userguide/access-grants-directory-ids.html
--- 抜粋 ---
In all cases, the IAM Identity Center instance must be in the same AWS Region as the S3 Access Grants instance to which it will be associated.
-----------
[2] Register a location -
https://docs.aws.amazon.com/ja_jp/AmazonS3/latest/userguide/access-grants-location.html
--- 抜粋 ---
Create one or more buckets that contain the data that you want to grant access to. These buckets must be located in the same AWS Region as your S3 Access Grants instance.
-----------
AWS IAM Identity Centerのリージョン確認
直接AWS IAM Identity Centerのインスタンスがどのリージョンにあるのかを確認することはできませんでしたので、以下のようにして確認することが可能です。(不明な場合)
利用できるリージョンを総当たりにするので、折りたたみます。
AWS IAM Identity Centerのリージョン確認
% for region in $(aws ec2 describe-regions --output text | cut -f4)
do
echo "Checking region $region..."
aws sso-admin list-instances --region $region
done
Checking region ap-south-1...
{
"Instances": []
}
Checking region eu-north-1...
{
"Instances": []
}
Checking region eu-west-3...
{
"Instances": []
}
Checking region eu-west-2...
{
"Instances": []
}
Checking region eu-west-1...
{
"Instances": []
}
Checking region ap-northeast-3...
{
"Instances": []
}
Checking region ap-northeast-2...
{
"Instances": []
}
Checking region ap-northeast-1...
{
"Instances": [
{
"CreatedDate": "2021-06-20T14:10:08.711000+09:00",
"IdentityStoreId": "d-95671eaa63",
"InstanceArn": "arn:aws:sso:::instance/ssoins-77*********dd",
"OwnerAccountId": "33********74",
"Status": "ACTIVE"
}
]
}
Checking region ca-central-1...
{
"Instances": []
}
Checking region sa-east-1...
{
"Instances": []
}
Checking region ap-southeast-1...
{
"Instances": []
}
Checking region ap-southeast-2...
{
"Instances": []
}
Checking region eu-central-1...
{
"Instances": []
}
Checking region us-east-1...
{
"Instances": []
}
Checking region us-east-2...
{
"Instances": []
}
Checking region us-west-1...
{
"Instances": []
}
Checking region us-west-2...
{
"Instances": []
}
%
S3作成
S3は以下のように作成しました
% aws s3 mb s3://shibao-s3-grants
aws s3api put-object --bucket shibao-s3-grants --key folderA/
aws s3api put-object --bucket shibao-s3-grants --key folderB/
make_bucket: shibao-s3-grants
{
"ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
"ServerSideEncryption": "AES256"
}
{
"ETag": "\"d41d8cd98f00b204e9800998ecf8427e\"",
"ServerSideEncryption": "AES256"
}
%
% aws s3api get-bucket-location --bucket shibao-s3-grants
{
"LocationConstraint": "ap-northeast-1"
}
%
CloudShellのAWS CLI標準のバージョンでは実装されていないバージョンです
毎回コンテナ環境で変わるたびに更新するのが手間なので今回は利用しません
$ aws --version
aws-cli/2.13.35 Python/3.11.6 Linux/6.1.61-85.141.amzn2023.x86_64 exec-env/CloudShell exe/x86_64.amzn.2 prompt/off
$
$ aws s3cotrol help
usage: aws [options] <command> <subcommand> [<subcommand> ...] [parameters]
To see help text, you can run:
aws help
aws <command> help
aws <command> <subcommand> help
aws: error: argument command: Invalid choice, valid choices are:
...
Invalid choice: 's3cotrol', maybe you meant:
* s3control
$
今回は手元の環境でAWS CLIを最新化するついでに確認しました
% aws --version
aws-cli/2.14.5 Python/3.11.6 Darwin/23.1.0 source/arm64 prompt/off
% aws s3control help
S3CONTROL() S3CONTROL()
NAME
s3control -
DESCRIPTION
Amazon Web Services S3 Control provides access to Amazon S3 control
plane actions.
AVAILABLE COMMANDS
o associate-access-grants-identity-center
o create-access-grant
o create-access-grants-instance
o create-access-grants-location
o create-access-point
o create-access-point-for-object-lambda
o create-bucket
...
アカウント確認
% aws sts get-caller-identity --query "Account" --output text
33********74
%
S3 Access Grantsのインスタンス作成
% aws s3control create-access-grants-instance --account-id 33********74
{
"CreatedAt": "2023-12-07T11:00:13.840000+00:00",
"AccessGrantsInstanceId": "default",
"AccessGrantsInstanceArn": "arn:aws:s3:ap-northeast-1:33********74:access-grants/default"
}
%
S3 Access Grantsで利用するIAM
IAM Roleの信頼ポリシーのJSON
% cat ./trust-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "access-grants.s3.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:SetContext"
]
}
]
}
%
IAM Role作成
% aws iam create-role --role-name s3ag-location-role \
--assume-role-policy-document file://trust-policy.json
{
"Role": {
"Path": "/",
"RoleName": "s3ag-location-role",
"RoleId": "AROAU3QBWPKDGNSIR3ORT",
"Arn": "arn:aws:iam::33********74:role/s3ag-location-role",
"CreateDate": "2023-12-06T12:15:49+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "access-grants.s3.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:SetSourceIdentity",
"sts:SetContext"
]
}
]
}
}
}
%
アタッチするIAMポリシーのJSONとアタッチ
% less iam-policy.json
{
"Version":"2012-10-17",
"Statement": [
{
"Sid": "ObjectLevelReadPermissions",
"Effect":"Allow",
"Action":[
"s3:GetObject",
"s3:GetObjectVersion",
"s3:GetObjectAcl",
"s3:GetObjectVersionAcl",
"s3:ListMultipartUploadParts"
],
"Resource":[
"arn:aws:s3:::*"
],
...
% aws iam put-role-policy --role-name s3ag-location-role --policy-name s3ag-location-role --policy-document file://iam-policy.json
%
作成したIAM Roleに対してS3にアクセスできるよう権限付与
% aws s3control create-access-grants-location \
--account-id 33********74 \
--location-scope s3:// \
--iam-role-arn arn:aws:iam::33********74:role/s3ag-location-role
{
"CreatedAt": "2023-12-07T11:01:06.675000+00:00",
"AccessGrantsLocationId": "default",
"AccessGrantsLocationArn": "arn:aws:s3:ap-northeast-1:33********74:access-grants/default/location/default",
"LocationScope": "s3://",
"IAMRoleArn": "arn:aws:iam::33********74:role/s3ag-location-role"
}
%
特定のS3ロケーションに対して特定のRoleでアクセス権限付与
% aws s3control create-access-grant \
--account-id 33********74 \
--access-grants-location-id "default" \
--access-grants-location-configuration "S3SubPrefix=\"shibao-s3-grants/folderA/*\"" \
--permission READWRITE \
--grantee "GranteeType=IAM,GranteeIdentifier=\"arn:aws:iam::33********74:role/aws-reserved/sso.amazonaws.com/ap-northeast-1/AWSReservedSSO_folderA_118a25d1911c957e\""
{
"CreatedAt": "2023-12-07T11:03:01.878000+00:00",
"AccessGrantId": "da81283d-b3d9-498f-9f7b-5bacb3b96a45",
"AccessGrantArn": "arn:aws:s3:ap-northeast-1:33********74:access-grants/default/grant/da81283d-b3d9-498f-9f7b-5bacb3b96a45",
"Grantee": {
"GranteeType": "IAM",
"GranteeIdentifier": "arn:aws:iam::33********74:role/aws-reserved/sso.amazonaws.com/ap-northeast-1/AWSReservedSSO_folderA_118a25d1911c957e"
},
"AccessGrantsLocationId": "default",
"AccessGrantsLocationConfiguration": {
"S3SubPrefix": "shibao-s3-grants/folderA/*"
},
"Permission": "READWRITE",
"GrantScope": "s3://shibao-s3-grants/folderA/*"
}
%
IAM Identity Centerのインスタンスと紐づけ
% aws s3control associate-access-grants-identity-center \
--account-id 33********74 \
--identity-center-arn arn:aws:sso:::instance/ssoins-77**********dd
%
実際に試してみる
% aws sts get-caller-identity
{
"UserId": "AROAU3QBWPKDHVTET4IKR:shibao@test",
"Account": "33********74",
"Arn": "arn:aws:sts::33********74:assumed-role/AWSReservedSSO_folderA_118a25d1911c957e/[email protected]"
}
%
% aws s3control get-data-access \
--account-id 33********74 \
--target 's3://shibao-s3-grants/folderA/*' \
--permission READ
{
"Credentials": {
"AccessKeyId": "ASIAU3QBWPKDHISEPNGT",
"SecretAccessKey": "E4yyrNMhLKIGC4ysNwRcf6+0W96WE2uI3caQxnqZ",
"SessionToken": "IQoJb3JpZ2luX2VjEDsaDmFwLW5vcnRoZWFzdC0xIkYwRAIgVXfS6DQaukYc99Xbvc9dkq2tq/CDHwhWygeG5pMQ9wMCIBRTy6T+s7YdbotVSHe1qwL8MAcitVXVz3bNSc8h22CJKukGCKX//////////wEQBBoMMzMzOTM3Mjc3NTc0Igx39VfdvVzC4UySbJEqvQZlZe9PyN7Gs4p7kKltP3FNGK5cEQa9XaJtzsbcIiVVTflIQwK0ekEjmSo2TEgQ3Zne9FGuy3F8dWuwFo8R4IkhAsaabyJ9+4zwfTo9l3jVgDchIPiKIyxegjtc0gEZgOIoOyOCVKYs8UlTUj/5tZHWuu988cpK8uI5NFhyAJBV4R7PjXFRvz1SawWM5DfFaM270r8n0sBYjNkeZHFoA4GPdJPuIqVayGLo1fk+2VL36ZkaNwbzUvr0v2a2q6EB1II7aYwSlMwAypxitIvYJZJZ4N21Ai8wLyUtA5/ZdsT2oU2oz2ujs3ZaAgGWRY6GSYNBvUv8weyTEGjK0BFYCsM9EmV7E8wdxpfw8d3q3io3gZlhb9YP0hg5qb0PYGgw0GEAvcM9egg/kwREMgDQqI+HWwJ58/thktCPiK7PC29+eMJc5TFQVfcAfOYNNrfQHiCp8LKG8ATBNG6/j481bPZof2z/Rr8+QmBvEeMlMIflkdNqTQSyQwcgsO7gpQotFM0hlAtWsYTQdcV90w+M1VbTKDCINrgQQNGdhdd4vP2ST8u7/n6YcLtRj/5TS8cKagSrQ+K5HpJRLbkH3EZ0dx80FlKhDsE7sd0m7sGecvTRtKgQmFZxhZwxUAqAxpirJgbu4dJiCON1at4d8fAmxMcdfxgmW5tFDWfeMWSwAs8FYcD+M+hTHZart9mfjwPrFh1gnKt1Z5q8OXIiSiyKUG6Ir76o5e1aozNPGzFDpfCzNSFgRBtrJOAuvs7z8PN2gBoXSfSdPcdTt5zPWQKs0cWmRTNlsLhCwliIsilK20dpjpwAuarZy+PS3mf3gHDHRp0KCXkAW+ETWrxVWjIYJ1SrgE+L071SPEgI7c5JpZVNf5VGUxXt2X4r9BgwmLHRnSmInqLw70Hr04/UYLSVEoz4mM8nvf507Owm8OvttaN7IlsSvR9xdjUrIrMG9mBrcM8gaW+TPnEem8rjpwtBWk+KllKVpr2gE2COgznVSBx19pCUWZzjfV9sJGY6b7jw3dBhhaId1gaGQITE/XFmyyI0cL5pV9MICuPvkWMZtbVZGLviO7GFA9Rd7swYuzlnU9uxFL8xzA5RtyyYPpprMLfXxqsGOs0BaL2WAJzzNQWSJmpF862lBJ7JyoxRAEQFcaOmc+PQAJelBUgzwMZz23Fyuf8ve038sdoyK8xqyJOg4AAJnSwbguakWyImV2d7G8mu92wD+eRk5e5hoBS5YLYlzIdygpelAOXfmJag3mdeGPjE4o3EBDhvkehI9VoLN7fLPea45I7s7tWojOdHZMxffFVTF6nAR3C7aQPCILsX7KkZ89lpv+e0fk4c6R4Pk0o1Y9fCVRoIcI+JeEFClkYdxyqHQQCYc/DFOldsltRPeB8Y0w==",
"Expiration": "2023-12-07T12:25:43+00:00"
},
"MatchedGrantTarget": "s3://shibao-s3-grants/folderA/*"
}
%
% aws s3control get-data-access \
--account-id 33********74 \
--target 's3://shibao-s3-grants/folderB/*' \
--permission READ
An error occurred (AccessDenied) when calling the GetDataAccess operation: You do not have READ permissions to the requested S3 Prefix: s3://shibao-s3-grants/folderB/*
%
まとめ
- S3に対するアクセスをIAM Identity Centerによるアクセスを寄せることができる
- S3 Access Grants自体にShare Instance(RAM経由)があるのでOrganization内で共有が捗る
- Managementコンソールからアクセスしてしまうと s3control:GetDataAccess は呼ばれないので、ManagementコンソールからAPIが叩くことができる実装に期待
番外編
CodeWhisperer CLI いいぞ
今回AWS CLIで全面的に操作を行うというところで、
AWS re:Invent 2023 直前にリリースされたCodeWhisperer CLIも導入してやってみました。
これがあれば都度AWS CLIのDocsを見る手間が非常に省けるので是非導入してみてください。