我可以通过另一个 aws 账户发布的 AWS IAM 角色获取凭证吗?
Can I get credentials by AWS IAM Role published by another aws account?
不幸的是,我为这项工作浪费了好几天时间。
如何通过 IAM 角色获取临时凭证?这可能吗?
这是我的场景和代码。(java 上的 AWS SDK)
AWS账户accessKey和secretKey的STS实例
AWSSecurityTokenService tokenService = new AWSSecurityTokenServiceClient(new BasicAWSCredentials(awsProperty.getAccess(), awsProperty.getSecret()));
制作 AssumeRoleRequest
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
assumeRoleRequest.setRoleArn(arn);
assumeRoleRequest.setDurationSeconds(900);
assumeRoleRequest.setRoleSessionName("for_test");
assumeRoleRequest.setExternalId("ext_id");
获取 SessionCredentials
AssumeRoleResult roleResult = tokenService.assumeRole(assumeRoleRequest);
Credentials credentials = roleResult.getCredentials();
AWSCredentials awsCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
工作
AmazonCloudFrontClient cloudFrontClient = new AmazonCloudFrontClient(awsCredentials);
它抛出 AWSSecurityTokenServiceException
User: arn:aws:iam::{account}:user/{user_name} is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{role_account}:role/{role_name} (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
我是这样制定政策的。附加到 IAM 角色和 IAM 用户。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490674259000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"*"
]
}
]
}
编辑:
我使用 IAM 策略模拟器测试了策略(已修改)。
select AWS Security Token Service-AssumeRole 和 IAM Role ARN - 允许。
您应该向您的 IAM 角色添加 trust relationship 以允许代入它。
不幸的是,我为这项工作浪费了好几天时间。
如何通过 IAM 角色获取临时凭证?这可能吗?
这是我的场景和代码。(java 上的 AWS SDK)
AWS账户accessKey和secretKey的STS实例
AWSSecurityTokenService tokenService = new AWSSecurityTokenServiceClient(new BasicAWSCredentials(awsProperty.getAccess(), awsProperty.getSecret()));制作 AssumeRoleRequest
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest(); assumeRoleRequest.setRoleArn(arn); assumeRoleRequest.setDurationSeconds(900); assumeRoleRequest.setRoleSessionName("for_test"); assumeRoleRequest.setExternalId("ext_id");获取 SessionCredentials
AssumeRoleResult roleResult = tokenService.assumeRole(assumeRoleRequest); Credentials credentials = roleResult.getCredentials(); AWSCredentials awsCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());工作
AmazonCloudFrontClient cloudFrontClient = new AmazonCloudFrontClient(awsCredentials);
它抛出 AWSSecurityTokenServiceException
User: arn:aws:iam::{account}:user/{user_name} is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{role_account}:role/{role_name} (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
我是这样制定政策的。附加到 IAM 角色和 IAM 用户。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490674259000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"*"
]
}
]
}
编辑:
我使用 IAM 策略模拟器测试了策略(已修改)。
select AWS Security Token Service-AssumeRole 和 IAM Role ARN - 允许。
您应该向您的 IAM 角色添加 trust relationship 以允许代入它。