无法使用 IAM 用户的访问密钥代入第三方 AWS 账户的角色
Failed to assume role for third-party AWS account using IAM user's access key
我正在尝试使用具有 SecurityAudit 角色的 Assume Role 函数向第三方 AWS 账户授予对我的 AWS 账户的访问权限,类似于 here. I followed the explanation from this 为第三方账户分配名为 testing 的角色,我将在其中进行得到这样的信任关系(我还添加了第三方的 IAM 用户,因为它将使用他的访问密钥访问我的 AWS 帐户):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::thirdparty:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
然后我按照here中的代码如下:
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(clientRegion)
.build();
// Obtain credentials for the IAM role. Note that you cannot assume the role of an AWS root account;
// Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName);
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
但是当第三方运行代码收到这样的错误时:
Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::thirdparty:user/TestOne is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::myaccount:role/testing(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1632)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access0(AmazonHttpClient.java:667)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)
那么如果第三方AWS账户要使用他的access key对我的账户进行安全审计,应该如何正确配置呢?
错误说
arn:aws:iam::thirdparty:user/TestOne
无法担任感兴趣的角色。
在您的问题中,您正确地允许 arn:aws:iam::thirdparty:root 担任该角色。但这仍然是 未授予 TestOne IAM 用户执行相同操作的权限。
要解决此问题,thirdparty 帐户 的 admin/root 必须明确允许 IAM 用户 TestOne 到 sts:AssumeRole您的帐户。
因此,thirdparty 帐户可以向 TestOne 用户添加 内联策略 等权限。显然,它也可以使用客户管理的策略或其他 IAM 机制来完成。但是内联策略似乎是最快和最容易测试的。
我正在尝试使用具有 SecurityAudit 角色的 Assume Role 函数向第三方 AWS 账户授予对我的 AWS 账户的访问权限,类似于 here. I followed the explanation from this 为第三方账户分配名为 testing 的角色,我将在其中进行得到这样的信任关系(我还添加了第三方的 IAM 用户,因为它将使用他的访问密钥访问我的 AWS 帐户):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::thirdparty:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
然后我按照here中的代码如下:
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(clientRegion)
.build();
// Obtain credentials for the IAM role. Note that you cannot assume the role of an AWS root account;
// Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName);
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
但是当第三方运行代码收到这样的错误时:
Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::thirdparty:user/TestOne is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::myaccount:role/testing(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1632)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access0(AmazonHttpClient.java:667)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)
那么如果第三方AWS账户要使用他的access key对我的账户进行安全审计,应该如何正确配置呢?
错误说
arn:aws:iam::thirdparty:user/TestOne
无法担任感兴趣的角色。
在您的问题中,您正确地允许 arn:aws:iam::thirdparty:root 担任该角色。但这仍然是 未授予 TestOne IAM 用户执行相同操作的权限。
要解决此问题,thirdparty 帐户 的 admin/root 必须明确允许 IAM 用户 TestOne 到 sts:AssumeRole您的帐户。
因此,thirdparty 帐户可以向 TestOne 用户添加 内联策略 等权限。显然,它也可以使用客户管理的策略或其他 IAM 机制来完成。但是内联策略似乎是最快和最容易测试的。