【发布时间】:2020-10-22 10:29:34
【问题描述】:
lambda 函数中的代码 -
String arn = "arn:aws:ecs:eu-west-1:accountId(B-account):task-definition/task-defn-name";
String cluster="arn:aws:ecs:eu-west-1:accountId(B-account):cluster/cluster name";
RunTaskRequest request = new RunTaskRequest().withLaunchType(LaunchType.EC2).withCluster(cluster).withTaskDefinition(arn);
final STSAssumeRoleSessionCredentialsProvider cross_acct_lambda = new STSAssumeRoleSessionCredentialsProvider.Builder("AccountB-Role", "cross_acct_lambda").build();
RunTaskResult response = AmazonECSClientBuilder.standard().withCredentials(cross_acct_lambda).build().runTask(request);
这行得通,我使用的是默认凭据提供程序,而不是 STSAssumeRoleSessionCredentialsProvider
帐户 B 角色中的权限策略
{
"Effect": "Allow",
"Action": [
"ecs:RunTask",
"ecs:Describe*",
"ecs:List*"
],
"Resource": [
"*"
]
}
B账户中Role的信任关系
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": [
"ecs-tasks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::AccountId-Aaccount:role/ecsLambdaRole"
},
"Action": "sts:AssumeRole"
}
]
}
A- 帐户角色
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::AccountId-Baccount:role/role name"
}
}
【问题讨论】:
标签: java amazon-web-services amazon-ec2 aws-lambda amazon-iam