使用 AWS PHP 开发工具包时 AWS Assume Role 访问被拒绝

Question

我在使用 AWS PHP 开发工具包时遇到问题 从 apache 服务器（PHP SDK）调用 AssumeRole 时出现以下错误

    Error executing "AssumeRole" on "https://sts.amazonaws.com"; 
    AWS HTTP error: Client error: `POST https://sts.amazonaws.com` resulted in a `403 Forbidden` 
response: Sender AccessDeni (truncated...) AccessDenied (client): Access denied - Sender AccessDenied Access denied

我使用 AWS CLI 测试了在同一台 ec2 机器中担任角色的命令，它工作正常。

这是我使用的代码。

const AccessKey = "<AccessKey>";
    const SecretAccessKey = "<SecretAccessKey>";
    const AccountID = "<AccountID>";
    const Name_space = "default";  // leave this as default

    use Aws\Sts\StsClient;
    use Aws\Sts\StsException;     

 try {
  $sts = new Aws\Sts\StsClient([
            'region' => 'us-east-1',
            'version' => 'latest',
            'credentials  ' => array('key' => AccessKey,
               'secret' => SecretAccessKey)
        ]);



 $session = $sts->assumeRole([
           'DurationSeconds' => 900,
           'RoleArn' => '<arn>', // REQUIRED
           'RoleSessionName' => testSession, // REQUIRED
      ]);

 } catch (Exception $e) {

        exit($e->getMessage());
    }

--编辑添加以下内容--

用户具有承担该角色的策略

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "<role arn>"
    }
}

这是角色的信任关系

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com",
        "AWS": "<user arn>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Answer 1

在 AWS 控制台中打开角色 > 信任关系。 点击“编辑信任关系”并粘贴以下内容

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::014361779291:user/<<username>>"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}