aws sts 承担角色 returns accesskeyid 屏蔽“***”
aws sts assume role returns accesskeyid masked "***"
我正在代码构建映像中调用 sts assume role,响应凭证具有 accessKeyId = "***" 像这样。
此外,当从我的本地计算机尝试相同的命令时,也获得了正确的 accesskeyId。知道我在这里缺少什么吗?
要求:
aws sts assume-role --role-arn arn:aws:iam::11111111:role/codepipeline_role --role-session-name codepipeline_role
响应示例:
{
"AssumedRoleUser": {
"Arn": "arn:aws:sts::111111111111:assumed-role/codepipeline_role/codepipeline-role",
"AssumedRoleId": "AROA6DS4I2EQXD2H5OXYE:codepipeline-role"
},
"Credentials": {
"AccessKeyId": "***",
"Expiration": "2020-01-04T16:23:56Z",
"SecretAccessKey": "SecretAccessKey",
"SessionToken": "sessionTOken"
}
}
提前致谢!
您可以尝试使用这些值吗?它可以在回显时被屏蔽。
version: 0.2
phases:
install:
commands:
- apt-get update
- apt-get install -y jq
- RESPONSE=$(aws sts assume-role --role-arn arn:aws:iam::123456789012:role/CLIRole --role-session-name `date "+%Y%m%d_%H%M%S"`)
- export AWS_ACCESS_KEY_ID=$(echo $RESPONSE | jq -r '.Credentials.AccessKeyId')
- export AWS_SECRET_ACCESS_KEY=$(echo $RESPONSE | jq -r '.Credentials.SecretAccessKey')
- export AWS_SESSION_TOKEN=$(echo $RESPONSE | jq -r '.Credentials.SessionToken')
#- Your aws cli command here...
编辑 1:
使用以下构建规范(从 CodePipeline 调用的 CodeBuild)进行检查,可以确认角色假设成功。 “***”在您回显时被屏蔽:
version: 0.2
phases:
install:
runtime-versions:
nodejs: 8
commands:
- ASSUME_ROLE_ARN="arn:aws:iam::123456789012:role/Shariq-Assumption-Test-Role"
- aws sts get-caller-identity
- TEMP_ROLE=`aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name test`
- export TEMP_ROLE
- echo $TEMP_ROLE
- export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
- export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
- export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
- echo $AWS_ACCESS_KEY_ID
- echo $AWS_SECRET_ACCESS_KEY
- echo $AWS_SESSION_TOKEN
- aws sts get-caller-identity
'Shariq-Assumption-Test-Role' 具有以下信任策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678910:root",
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
此外,CodeBuild 角色应具有 sts:AssumeRole 权限。
构建日志:
[Container] 2020/01/05 12:59:13 Running command ASSUME_ROLE_ARN="arn:aws:iam::123456789012:role/Shariq-Assumption-Test-Role"
[Container] 2020/01/05 12:59:13 Running command aws sts get-caller-identity
{
"UserId": "AROAXTEXAMPLEQ22FQDC:AWSCodeBuild-xxxxxxxx-104c-42b9-b71c-ff3e8ad44b16",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/codebuild-build-from-cp-service-role/AWSCodeBuild-xxxxxxxx-104c-42b9-b71c-ff3e8ad44b16"
}
[Container] 2020/01/05 12:59:18 Running command TEMP_ROLE=`aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name test`
[Container] 2020/01/05 12:59:18 Running command export TEMP_ROLE
[Container] 2020/01/05 12:59:18 Running command echo $TEMP_ROLE
{ "Credentials": { "AccessKeyId": "***", "SecretAccessKey": "R9QuqToY4qkcEXAMPLESGmTGJi4QawzS", "SessionToken": "FwoGZXIvYXdzEA4aDIwhkn5nVvvFBeBxXSLGAZmE1/Kw0CA9a/PEUG6VXyHyTrVryYzyRDEPdFUlzhXjqBj9h5x/Cz5aX/61aR2qSEXAMPLEBqm7OsI3zD3KA3NIIAr/u+l9f8AGZz+Ii6AeUoLFrkvH7d7JINGvouRNdrulkbzbnAAtGQx+8K1DxR0w4TbPbld3hQJYanGf6I4v3EieJuRckqxloEO6gF9W9EsqsluOogJVJAziimu8fwBTJLaKyaqg2Rr6w4JqrIB9fUngEnif/ggbIrscuadGLhXe7bSRKCrerk5DzEGP1uiZwH3P/De9wIOOClq", "Expiration": "2020-01-05T13:59:18Z" }, "AssumedRoleUser": { "AssumedRoleId": "AROAXTLSHEXAMPLE2TZT:test", "Arn": "arn:aws:sts::123456789012:assumed-role/Shariq-Assumption-Test-Role/test" } }
[Container] 2020/01/05 12:59:18 Running command export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
[Container] 2020/01/05 12:59:18 Running command export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
[Container] 2020/01/05 12:59:18 Running command export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
[Container] 2020/01/05 12:59:18 Running command echo $AWS_ACCESS_KEY_ID
***
[Container] 2020/01/05 12:59:18 Running command echo $AWS_SECRET_ACCESS_KEY
R9QuqToY4qkct327ZEXAMPLEmTGJi4QawzS
[Container] 2020/01/05 12:59:18 Running command echo $AWS_SESSION_TOKEN
FwoGZXIvYXdzEA4aDIwhkn5nVvvFBeBxXSLGAZmE1/Kw0CA9a/PEUG6VXyHyTrVryYzyRDEPdFUlzhXjqBj9h5x/Cz5aX/61aR2qSGwqMEjJToh0Bqm7OsI3zD3K4ot7wAeUoLFrkvH7d7JINGvouRNdrulkbzbnAAtGQx+8K1DxR0w4TbPbld3hQJYanEXAMPLE0h3U5xLXykuEcvOnuV6gF9W9EsqsluOogJVJAziimu8fwBTJLaKyaqg2Rr6w4JqrIB9fUngEnif/ggbIrscuadGLhXe7bSRKCrerk5DzEGPzqyMFCH+DHYsbeIeqXkbFYW1uiZwH3P/De9wIOOClq
[Container] 2020/01/05 12:59:18 Running command aws sts get-caller-identity
{
"UserId": "AROAXTLEXAMPLELVE2TZT:test",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/Shariq-Assumption-Test-Role/test"
}
我正在代码构建映像中调用 sts assume role,响应凭证具有 accessKeyId = "***" 像这样。
此外,当从我的本地计算机尝试相同的命令时,也获得了正确的 accesskeyId。知道我在这里缺少什么吗?
要求:
aws sts assume-role --role-arn arn:aws:iam::11111111:role/codepipeline_role --role-session-name codepipeline_role
响应示例:
{
"AssumedRoleUser": {
"Arn": "arn:aws:sts::111111111111:assumed-role/codepipeline_role/codepipeline-role",
"AssumedRoleId": "AROA6DS4I2EQXD2H5OXYE:codepipeline-role"
},
"Credentials": {
"AccessKeyId": "***",
"Expiration": "2020-01-04T16:23:56Z",
"SecretAccessKey": "SecretAccessKey",
"SessionToken": "sessionTOken"
}
}
提前致谢!
您可以尝试使用这些值吗?它可以在回显时被屏蔽。
version: 0.2
phases:
install:
commands:
- apt-get update
- apt-get install -y jq
- RESPONSE=$(aws sts assume-role --role-arn arn:aws:iam::123456789012:role/CLIRole --role-session-name `date "+%Y%m%d_%H%M%S"`)
- export AWS_ACCESS_KEY_ID=$(echo $RESPONSE | jq -r '.Credentials.AccessKeyId')
- export AWS_SECRET_ACCESS_KEY=$(echo $RESPONSE | jq -r '.Credentials.SecretAccessKey')
- export AWS_SESSION_TOKEN=$(echo $RESPONSE | jq -r '.Credentials.SessionToken')
#- Your aws cli command here...
编辑 1:
使用以下构建规范(从 CodePipeline 调用的 CodeBuild)进行检查,可以确认角色假设成功。 “***”在您回显时被屏蔽:
version: 0.2
phases:
install:
runtime-versions:
nodejs: 8
commands:
- ASSUME_ROLE_ARN="arn:aws:iam::123456789012:role/Shariq-Assumption-Test-Role"
- aws sts get-caller-identity
- TEMP_ROLE=`aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name test`
- export TEMP_ROLE
- echo $TEMP_ROLE
- export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
- export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
- export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
- echo $AWS_ACCESS_KEY_ID
- echo $AWS_SECRET_ACCESS_KEY
- echo $AWS_SESSION_TOKEN
- aws sts get-caller-identity
'Shariq-Assumption-Test-Role' 具有以下信任策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::12345678910:root",
"Service": "codebuild.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
此外,CodeBuild 角色应具有 sts:AssumeRole 权限。
构建日志:
[Container] 2020/01/05 12:59:13 Running command ASSUME_ROLE_ARN="arn:aws:iam::123456789012:role/Shariq-Assumption-Test-Role"
[Container] 2020/01/05 12:59:13 Running command aws sts get-caller-identity
{
"UserId": "AROAXTEXAMPLEQ22FQDC:AWSCodeBuild-xxxxxxxx-104c-42b9-b71c-ff3e8ad44b16",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/codebuild-build-from-cp-service-role/AWSCodeBuild-xxxxxxxx-104c-42b9-b71c-ff3e8ad44b16"
}
[Container] 2020/01/05 12:59:18 Running command TEMP_ROLE=`aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name test`
[Container] 2020/01/05 12:59:18 Running command export TEMP_ROLE
[Container] 2020/01/05 12:59:18 Running command echo $TEMP_ROLE
{ "Credentials": { "AccessKeyId": "***", "SecretAccessKey": "R9QuqToY4qkcEXAMPLESGmTGJi4QawzS", "SessionToken": "FwoGZXIvYXdzEA4aDIwhkn5nVvvFBeBxXSLGAZmE1/Kw0CA9a/PEUG6VXyHyTrVryYzyRDEPdFUlzhXjqBj9h5x/Cz5aX/61aR2qSEXAMPLEBqm7OsI3zD3KA3NIIAr/u+l9f8AGZz+Ii6AeUoLFrkvH7d7JINGvouRNdrulkbzbnAAtGQx+8K1DxR0w4TbPbld3hQJYanGf6I4v3EieJuRckqxloEO6gF9W9EsqsluOogJVJAziimu8fwBTJLaKyaqg2Rr6w4JqrIB9fUngEnif/ggbIrscuadGLhXe7bSRKCrerk5DzEGP1uiZwH3P/De9wIOOClq", "Expiration": "2020-01-05T13:59:18Z" }, "AssumedRoleUser": { "AssumedRoleId": "AROAXTLSHEXAMPLE2TZT:test", "Arn": "arn:aws:sts::123456789012:assumed-role/Shariq-Assumption-Test-Role/test" } }
[Container] 2020/01/05 12:59:18 Running command export AWS_ACCESS_KEY_ID=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.AccessKeyId')
[Container] 2020/01/05 12:59:18 Running command export AWS_SECRET_ACCESS_KEY=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SecretAccessKey')
[Container] 2020/01/05 12:59:18 Running command export AWS_SESSION_TOKEN=$(echo "${TEMP_ROLE}" | jq -r '.Credentials.SessionToken')
[Container] 2020/01/05 12:59:18 Running command echo $AWS_ACCESS_KEY_ID
***
[Container] 2020/01/05 12:59:18 Running command echo $AWS_SECRET_ACCESS_KEY
R9QuqToY4qkct327ZEXAMPLEmTGJi4QawzS
[Container] 2020/01/05 12:59:18 Running command echo $AWS_SESSION_TOKEN
FwoGZXIvYXdzEA4aDIwhkn5nVvvFBeBxXSLGAZmE1/Kw0CA9a/PEUG6VXyHyTrVryYzyRDEPdFUlzhXjqBj9h5x/Cz5aX/61aR2qSGwqMEjJToh0Bqm7OsI3zD3K4ot7wAeUoLFrkvH7d7JINGvouRNdrulkbzbnAAtGQx+8K1DxR0w4TbPbld3hQJYanEXAMPLE0h3U5xLXykuEcvOnuV6gF9W9EsqsluOogJVJAziimu8fwBTJLaKyaqg2Rr6w4JqrIB9fUngEnif/ggbIrscuadGLhXe7bSRKCrerk5DzEGPzqyMFCH+DHYsbeIeqXkbFYW1uiZwH3P/De9wIOOClq
[Container] 2020/01/05 12:59:18 Running command aws sts get-caller-identity
{
"UserId": "AROAXTLEXAMPLELVE2TZT:test",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/Shariq-Assumption-Test-Role/test"
}