Use External ID to Authorize AWS¶
II. Choose IAM.
i. Choose Roles and click Create role:
ii. In Step 1 > Select trusted entity and select Custom trust policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-cn:iam::<Aauthorized ID>:user/<Username>"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<Eexternal ID>"
}
}
}
]
}
Warning
When you configure Custom trust policy, hyou need to fill in AWS ID of Guance and user name: arn:aws-cn:iam::<Aauthorized ID>:user/<Username>
The actual filling information is as follows (this is a fixed configuration): arn:aws-cn:iam::588271335135:user/guance-s3-bakcuplog
iii. Click Step 2 > Add permissions and Create policy:
(i). In Create policy > Specify permissions > Policy editor, fill in the following content:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws-cn:s3:::<bucket name>",
"arn:aws-cn:s3:::<bucket name>/*"
]
}
]
}
(ii). In Review and cretae > Policy details > Policy name, enter a meaningful name to identify this policy:
iv. Back to the page Create role. Click and then the Permission that has been created in the previous step appears. Select it:
v. Enter Step 3 > Name, review and create > Role details > Role name, enter a meaningful name to identify the role. Click Create to finish the authorization. The role name here is the AWS Role name under AWS S3 > Role authorization > Fill in archive information.