aws api: 假设角色访问被拒绝
aws api: assume role access denied
当我使用 AWS 时,我切换角色以在控制台中查看客户端数据并且工作正常。
但是我正在尝试使用 python 和 运行 中的 boto3
包来执行此操作,但出现“访问被拒绝”错误。我没有在控制台中添加 IAM 角色或编辑信任策略的权限,但我觉得我不需要这样做?
示例代码和错误如下:
我的帐户的初始授权工作正常
mfa_TOTP = input("Enter the MFA code: ")
sts_connection = STSConnection()
tempCredentials = sts_connection.get_session_token(
duration=3600,
mfa_serial_number="arn:aws:iam::123xyz123:mfa/my.name",
mfa_token=mfa_TOTP
)
print('MFA authentication successful :)')
Enter the MFA code: 123456
MFA authentication successful :)
尝试担任角色失败
account = df.Account[0]
acct_num = account.split('[')[1].split(']')[0]
role_arn = 'arn:aws:iam::' + str(acct_num) + ':role/this-user'
sts_client = boto3.client('sts')
assumed_role_object = sts_client.assume_role(
RoleArn = role_arn,
RoleSessionName = account.split(' ')[0]
)
ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123xyz123:user/my.name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::456abc456:role/this-user
您的策略存在问题,要使 sts_client.assume_role
生效,您需要允许 STS 代入您的 Lambda 角色。您可以在 IAM 策略中添加以下代码以使其生效:
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::*:role/this-user"
],
"Effect": "Allow"
}
您在担任以下角色时必须包括临时凭证。
sts_client = boto3.client('sts',
aws_access_key_id= tempCredentials['AWS_ACCESS_KEY_ID'],
aws_secret_access_key= tempCredentials['AWS_SECRET_ACCESS_KEY'],
aws_session_token= tempCredentials['AWS_SESSION_TOKEN']
)
assumed_role_object = sts_client.assume_role(
RoleArn = role_arn,
RoleSessionName = account.split(' ')[0]
)
当我使用 AWS 时,我切换角色以在控制台中查看客户端数据并且工作正常。
但是我正在尝试使用 python 和 运行 中的 boto3
包来执行此操作,但出现“访问被拒绝”错误。我没有在控制台中添加 IAM 角色或编辑信任策略的权限,但我觉得我不需要这样做?
示例代码和错误如下:
我的帐户的初始授权工作正常
mfa_TOTP = input("Enter the MFA code: ")
sts_connection = STSConnection()
tempCredentials = sts_connection.get_session_token(
duration=3600,
mfa_serial_number="arn:aws:iam::123xyz123:mfa/my.name",
mfa_token=mfa_TOTP
)
print('MFA authentication successful :)')
Enter the MFA code: 123456
MFA authentication successful :)
尝试担任角色失败
account = df.Account[0]
acct_num = account.split('[')[1].split(']')[0]
role_arn = 'arn:aws:iam::' + str(acct_num) + ':role/this-user'
sts_client = boto3.client('sts')
assumed_role_object = sts_client.assume_role(
RoleArn = role_arn,
RoleSessionName = account.split(' ')[0]
)
ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123xyz123:user/my.name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::456abc456:role/this-user
您的策略存在问题,要使 sts_client.assume_role
生效,您需要允许 STS 代入您的 Lambda 角色。您可以在 IAM 策略中添加以下代码以使其生效:
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::*:role/this-user"
],
"Effect": "Allow"
}
您在担任以下角色时必须包括临时凭证。
sts_client = boto3.client('sts',
aws_access_key_id= tempCredentials['AWS_ACCESS_KEY_ID'],
aws_secret_access_key= tempCredentials['AWS_SECRET_ACCESS_KEY'],
aws_session_token= tempCredentials['AWS_SESSION_TOKEN']
)
assumed_role_object = sts_client.assume_role(
RoleArn = role_arn,
RoleSessionName = account.split(' ')[0]
)