Aws STS 承担调用 API 网关的角色
Aws STS assume role for calling API Gateway
我正在尝试使用 StsClient assumeRole (php aws sdk 3) 调用 api 网关路由。一切正常,除了我不知道如何不 'hardcode' 角色策略中的 sts 用户会话 ARN。
这是我的无服务器代码:
Resources:
ApiGatewayPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: my-policy-apigateway
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- execute-api:Invoke
Resource:
Fn::Join: [ "", [ "arn:aws:execute-api:", { "Ref": "AWS::Region" }, ':', { "Ref": "AWS::AccountId" }, ':', { "Ref": "ApiGatewayRestApi" }, '/*/GET/routeName/*/*/*' ] ]
Effect: Allow
Roles:
- Ref: IamRoleApiGatewayExecution
和 STS 策略(使用 STS 而不是 IAM 用户的 ARN):
Resources:
IamRoleApiGatewayExecution:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
Fn::Join: [ "", [ "arn:aws:sts::", { "Ref": "AWS::AccountId" }, ':assumed-role/YYYYYYYYYYYYY/XXXXXXXXXXXXXXXXXXXXXXXXXXX' ] ]
Action: sts:AssumeRole
我确实使用 php aws sdk(另一个项目)调用路由:
$stsClient = new StsClient([
'region' => 'eu-west-1',
'version' => 'latest',
]);
$ARN = "arn:aws:iam::.........:role/dating-crop-dev-IamRoleApiGatewayExecution-..........";
$sessionName = uniqid('api-gateway-access-');
$result = $stsClient->assumeRole([
'RoleArn' => $ARN,
'RoleSessionName' => $sessionName,
]);
........
正如我所说,一切正常,除了我不知道如何使 XXXXXXXXXXXXXXXXXXXXXXXXXXX 动态,否则我必须在几个小时后更新它(最糟糕的做法: ))。
感谢您的任何建议。
我已通过在角色策略中将 sts 用户 ARN 替换为 IAM 角色 ARN 来解决此问题。所以
Principal:
AWS:
Fn::Join: [ "", [ "arn:aws:sts::", { "Ref": "AWS::AccountId" }, ':assumed-role/YYYYYYYYYYYYY/XXXXXXXXXXXXXXXXXXXXXXXXXXX' ] ]
变成:
Principal:
Service: apigateway.amazonaws.com
AWS:
Fn::Join: [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ':role/myRoleName' ] ]
而且效果很好。
我正在尝试使用 StsClient assumeRole (php aws sdk 3) 调用 api 网关路由。一切正常,除了我不知道如何不 'hardcode' 角色策略中的 sts 用户会话 ARN。 这是我的无服务器代码:
Resources:
ApiGatewayPolicy:
Type: AWS::IAM::Policy
Properties:
PolicyName: my-policy-apigateway
PolicyDocument:
Version: '2012-10-17'
Statement:
- Action:
- execute-api:Invoke
Resource:
Fn::Join: [ "", [ "arn:aws:execute-api:", { "Ref": "AWS::Region" }, ':', { "Ref": "AWS::AccountId" }, ':', { "Ref": "ApiGatewayRestApi" }, '/*/GET/routeName/*/*/*' ] ]
Effect: Allow
Roles:
- Ref: IamRoleApiGatewayExecution
和 STS 策略(使用 STS 而不是 IAM 用户的 ARN):
Resources:
IamRoleApiGatewayExecution:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
AWS:
Fn::Join: [ "", [ "arn:aws:sts::", { "Ref": "AWS::AccountId" }, ':assumed-role/YYYYYYYYYYYYY/XXXXXXXXXXXXXXXXXXXXXXXXXXX' ] ]
Action: sts:AssumeRole
我确实使用 php aws sdk(另一个项目)调用路由:
$stsClient = new StsClient([
'region' => 'eu-west-1',
'version' => 'latest',
]);
$ARN = "arn:aws:iam::.........:role/dating-crop-dev-IamRoleApiGatewayExecution-..........";
$sessionName = uniqid('api-gateway-access-');
$result = $stsClient->assumeRole([
'RoleArn' => $ARN,
'RoleSessionName' => $sessionName,
]);
........
正如我所说,一切正常,除了我不知道如何使 XXXXXXXXXXXXXXXXXXXXXXXXXXX 动态,否则我必须在几个小时后更新它(最糟糕的做法: ))。 感谢您的任何建议。
我已通过在角色策略中将 sts 用户 ARN 替换为 IAM 角色 ARN 来解决此问题。所以
Principal:
AWS:
Fn::Join: [ "", [ "arn:aws:sts::", { "Ref": "AWS::AccountId" }, ':assumed-role/YYYYYYYYYYYYY/XXXXXXXXXXXXXXXXXXXXXXXXXXX' ] ]
变成:
Principal:
Service: apigateway.amazonaws.com
AWS:
Fn::Join: [ "", [ "arn:aws:iam::", { "Ref": "AWS::AccountId" }, ':role/myRoleName' ] ]
而且效果很好。