Aws STS 承担调用 API 网关的角色

Aws STS assume role for calling API Gateway

我正在尝试使用 StsClient assumeRole (php aws sdk 3) 调用 api 网关路由。一切正常,除了我不知道如何不 'hardcode' 角色策略中的 sts 用户会话 ARN。 这是我的无服务器代码:

Resources:
  ApiGatewayPolicy:
    Type: AWS::IAM::Policy
    Properties:
      PolicyName: my-policy-apigateway
      PolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Action:
              - execute-api:Invoke
            Resource:
              Fn::Join: [ "", [ "arn:aws:execute-api:", { "Ref": "AWS::Region" }, ':', { "Ref": "AWS::AccountId" }, ':', { "Ref": "ApiGatewayRestApi" }, '/*/GET/routeName/*/*/*' ] ]
            Effect: Allow
      Roles:
        - Ref: IamRoleApiGatewayExecution

和 STS 策略(使用 STS 而不是 IAM 用户的 ARN):

Resources:
  IamRoleApiGatewayExecution:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              AWS:
                Fn::Join: [ "", [ "arn:aws:sts::", { "Ref": "AWS::AccountId" }, ':assumed-role/YYYYYYYYYYYYY/XXXXXXXXXXXXXXXXXXXXXXXXXXX' ] ]
            Action: sts:AssumeRole

我确实使用 php aws sdk(另一个项目)调用路由:

        $stsClient = new StsClient([
            'region' => 'eu-west-1',
            'version' => 'latest',
        ]);
        $ARN = "arn:aws:iam::.........:role/dating-crop-dev-IamRoleApiGatewayExecution-..........";

        $sessionName = uniqid('api-gateway-access-');
        $result = $stsClient->assumeRole([
            'RoleArn' => $ARN,
            'RoleSessionName' => $sessionName,
        ]);
........

正如我所说,一切正常,除了我不知道如何使 XXXXXXXXXXXXXXXXXXXXXXXXXXX 动态,否则我必须在几个小时后更新它(最糟糕的做法: ))。 感谢您的任何建议。

我已通过在角色策略中将 sts 用户 ARN 替换为 IAM 角色 ARN 来解决此问题。所以

            Principal:
              AWS:
                Fn::Join: [ "", [ "arn:aws:sts::", { "Ref": "AWS::AccountId" }, ':assumed-role/YYYYYYYYYYYYY/XXXXXXXXXXXXXXXXXXXXXXXXXXX' ] ]

变成:

            Principal:
              Service: apigateway.amazonaws.com
              AWS:
                Fn::Join: [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ':role/myRoleName' ] ]

而且效果很好。