【发布时间】:2017-03-28 17:37:56
【问题描述】:
很遗憾,我为此工作浪费了几天时间。
如何通过 IAM 角色获取临时凭证?这可能吗?
这是我的场景和代码。(Java 上的 AWS 开发工具包)
-
AWS 账户 accessKey 和 secretKey 的 STS 实例
AWSSecurityTokenService tokenService = new AWSSecurityTokenServiceClient(new BasicAWSCredentials(awsProperty.getAccess(), awsProperty.getSecret())); -
制作 AssumeRoleRequest
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest(); assumeRoleRequest.setRoleArn(arn); assumeRoleRequest.setDurationSeconds(900); assumeRoleRequest.setRoleSessionName("for_test"); assumeRoleRequest.setExternalId("ext_id"); -
获取 SessionCredentials
AssumeRoleResult roleResult = tokenService.assumeRole(assumeRoleRequest); Credentials credentials = roleResult.getCredentials(); AWSCredentials awsCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken()); -
工作
AmazonCloudFrontClient cloudFrontClient = new AmazonCloudFrontClient(awsCredentials);
它抛出AWSSecurityTokenServiceException
User: arn:aws:iam::{account}:user/{user_name} is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{role_account}:role/{role_name} (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
我制定这样的政策。附加到 IAM 角色和 IAM 用户。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490674259000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"*"
]
}
]
}
编辑:
我使用 IAM 策略模拟器测试了策略(已修改)。
选择 AWS Security Token Service-AssumeRole 和 IAM Role ARN - 允许。
【问题讨论】:
-
您是否在其他 AWS 账户中担任角色?您的角色是否定义了trust relationship?
-
@JohnRotenstein 非常感谢!我确认信任关系并修复参数。它有效!
标签: amazon-web-services amazon-iam aws-sts