NodeJS:aws-sdk sts.assumeRole 不工作
NodeJS: aws-sdk sts.assumeRole is not working
我有一个奇怪的问题,我似乎无处可去。我已经在线学习了所有内容(多个教程等),但无法使 sts.assumeRole 正常工作。
我的设置:
- AWS 主账户(用于计费、IAM 等)
- 子AWS账户1(已使用
对于客户 1)
- 子AWS账户2(用于客户2)
- 等等
我在 子 AWS 账户 1 中有一个机器人 运行,我需要来自 主 AWS 账户 的定价信息。
所以,我在 主 AWS 账户 上创建了一个角色来获得 AWS ce:* 访问权限,如下:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ce:*"],
"Resource": ["*"]
}]
}
信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::SubAWSaccount1-ID:role/instance-profile"
},
"Action": "sts:AssumeRole"
}
]
}
现在,这是附加到 子 AWS 账户 1 上的 EC2 实例 运行 的 实例配置文件:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::mainAWSaccount-ID:role/botRole"
}
]
}
信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
好的,不碍事,这是无效的代码:
var AWS = require('aws-sdk');
var pricingAWS = new AWS.CostExplorer();
var getPricing = function(){
var costParams = {
TimePeriod: { Start: "2019-12-01 ", End: "2020-01-01"},
Granularity: 'MONTHLY',
Metrics: ['BlendedCost'],
Filter: {
Dimensions: {
Key: "LINKED_ACCOUNT",
Values: ["Sub AWS account 2s ID"] //Main AWS account has access to many sub accounts info. So bot in running on Sub account 1, I need info from Sub account 1, 2, 3 etc and Role is on Main account
}
}
};
var roleToAssume = {
RoleArn: 'arn:aws:iam::mainAWSaccount-ID:role/botRole',
RoleSessionName: 'testTestTest',
DurationSeconds: 900
};
var roleCreds = {};
sts.assumeRole(roleToAssume, function(err, data) {
if (err) {
console.log(err);
} else {
roleCreds = {
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken
};
pricingAWS.config.update({
accessKeyId: roleCreds.AccessKeyId,
secretAccessKey: roleCreds.SecretAccessKey,
sessionToken: roleCreds.SessionToken
});
}
});
pricingAWS.getCostAndUsage(costParams, function (err, data) {
if (err) {
reject(err);
}else{
resolve(data);
}
});
};
getPricing();
我从 console.log(err) 得到的是:
User: arn:aws:sts::SubAWSAccount-1:assumed-role/slack-instance-profile/instanceID is not authorized to perform: ce:GetCostAndUsage on resource: arn:aws:ce:us-east-1:SubAWSAccount-1:/GetCostAndUsage'
为了确认我的理解,您正在尝试从另一个帐户中的 ec2 实例中担任一个帐户中的角色。
- 在
child 账户中创建一个 IAM 角色
- 通过附加 IAM 策略,允许上面新创建的角色承担
main 帐户中存在的角色。通过主要角色的信任策略允许子角色承担主要角色(您已经这样做了)
- 在您的 Nodejs 代码中 运行 在子 ec2 实例中,承担父角色并阅读账单报告(您已经这样做了)
代码修复
将 pricingAWS.getCostAndUsage() 行移动到 assume role 回调中。因为在更新凭据之前调用了该行:)。您还可以将所有内容更改为 async/await,如下所示。
import AWS = require('aws-sdk');
var pricingAWS = new AWS.CostExplorer();
const sts = new AWS.STS()
var getPricing = async function () {
var costParams = {
TimePeriod: { Start: "2019-12-01 ", End: "2020-01-01" },
Granularity: 'MONTHLY',
Metrics: ['BlendedCost'],
Filter: {
Dimensions: {
Key: "LINKED_ACCOUNT",
Values: ["Sub AWS account 2s ID"] //Main AWS account has access to many sub accounts info. So bot in running on Sub account 1, I need info from Sub account 1, 2, 3 etc and Role is on Main account
}
}
};
var roleToAssume = {
RoleArn: 'arn:aws:iam::mainAWSaccount-ID:role/botRole',
RoleSessionName: 'testTestTest',
DurationSeconds: 900
};
var roleCreds = {};
try {
const data = await sts.assumeRole(roleToAssume).promise();
const roleCreds = {
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken
};
pricingAWS.config.update({
accessKeyId: roleCreds.accessKeyId,
secretAccessKey: roleCreds.secretAccessKey,
sessionToken: roleCreds.sessionToken
});
const costAndUsage = await pricingAWS.getCostAndUsage(costParams).promise()
return costAndUsage
} catch (err) {
console.log('error: ', err);
throw err;
}
};
getPricing();
希望这对您有所帮助。
我有一个奇怪的问题,我似乎无处可去。我已经在线学习了所有内容(多个教程等),但无法使 sts.assumeRole 正常工作。
我的设置:
- AWS 主账户(用于计费、IAM 等)
- 子AWS账户1(已使用 对于客户 1)
- 子AWS账户2(用于客户2)
- 等等
我在 子 AWS 账户 1 中有一个机器人 运行,我需要来自 主 AWS 账户 的定价信息。
所以,我在 主 AWS 账户 上创建了一个角色来获得 AWS ce:* 访问权限,如下:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ce:*"],
"Resource": ["*"]
}]
}
信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::SubAWSaccount1-ID:role/instance-profile"
},
"Action": "sts:AssumeRole"
}
]
}
现在,这是附加到 子 AWS 账户 1 上的 EC2 实例 运行 的 实例配置文件:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::mainAWSaccount-ID:role/botRole"
}
]
}
信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
好的,不碍事,这是无效的代码:
var AWS = require('aws-sdk');
var pricingAWS = new AWS.CostExplorer();
var getPricing = function(){
var costParams = {
TimePeriod: { Start: "2019-12-01 ", End: "2020-01-01"},
Granularity: 'MONTHLY',
Metrics: ['BlendedCost'],
Filter: {
Dimensions: {
Key: "LINKED_ACCOUNT",
Values: ["Sub AWS account 2s ID"] //Main AWS account has access to many sub accounts info. So bot in running on Sub account 1, I need info from Sub account 1, 2, 3 etc and Role is on Main account
}
}
};
var roleToAssume = {
RoleArn: 'arn:aws:iam::mainAWSaccount-ID:role/botRole',
RoleSessionName: 'testTestTest',
DurationSeconds: 900
};
var roleCreds = {};
sts.assumeRole(roleToAssume, function(err, data) {
if (err) {
console.log(err);
} else {
roleCreds = {
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken
};
pricingAWS.config.update({
accessKeyId: roleCreds.AccessKeyId,
secretAccessKey: roleCreds.SecretAccessKey,
sessionToken: roleCreds.SessionToken
});
}
});
pricingAWS.getCostAndUsage(costParams, function (err, data) {
if (err) {
reject(err);
}else{
resolve(data);
}
});
};
getPricing();
我从 console.log(err) 得到的是:
User: arn:aws:sts::SubAWSAccount-1:assumed-role/slack-instance-profile/instanceID is not authorized to perform: ce:GetCostAndUsage on resource: arn:aws:ce:us-east-1:SubAWSAccount-1:/GetCostAndUsage'
为了确认我的理解,您正在尝试从另一个帐户中的 ec2 实例中担任一个帐户中的角色。
- 在
child账户中创建一个 IAM 角色 - 通过附加 IAM 策略,允许上面新创建的角色承担
main帐户中存在的角色。通过主要角色的信任策略允许子角色承担主要角色(您已经这样做了) - 在您的 Nodejs 代码中 运行 在子 ec2 实例中,承担父角色并阅读账单报告(您已经这样做了)
代码修复
将 pricingAWS.getCostAndUsage() 行移动到 assume role 回调中。因为在更新凭据之前调用了该行:)。您还可以将所有内容更改为 async/await,如下所示。
import AWS = require('aws-sdk');
var pricingAWS = new AWS.CostExplorer();
const sts = new AWS.STS()
var getPricing = async function () {
var costParams = {
TimePeriod: { Start: "2019-12-01 ", End: "2020-01-01" },
Granularity: 'MONTHLY',
Metrics: ['BlendedCost'],
Filter: {
Dimensions: {
Key: "LINKED_ACCOUNT",
Values: ["Sub AWS account 2s ID"] //Main AWS account has access to many sub accounts info. So bot in running on Sub account 1, I need info from Sub account 1, 2, 3 etc and Role is on Main account
}
}
};
var roleToAssume = {
RoleArn: 'arn:aws:iam::mainAWSaccount-ID:role/botRole',
RoleSessionName: 'testTestTest',
DurationSeconds: 900
};
var roleCreds = {};
try {
const data = await sts.assumeRole(roleToAssume).promise();
const roleCreds = {
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken
};
pricingAWS.config.update({
accessKeyId: roleCreds.accessKeyId,
secretAccessKey: roleCreds.secretAccessKey,
sessionToken: roleCreds.sessionToken
});
const costAndUsage = await pricingAWS.getCostAndUsage(costParams).promise()
return costAndUsage
} catch (err) {
console.log('error: ', err);
throw err;
}
};
getPricing();
希望这对您有所帮助。