2

我正在尝试获取临时凭证以将文件上传到 S3 存储桶。我正在使用 IAM 用户的凭证来调用 STS 假设角色方法。该角色是通过 AWS Cognito 创建的。下面是 IAM 用户策略和角色策略,

错误消息: 

POST https://sts.amazonaws.com/ 403 (Forbidden)

User: arn:aws:iam::########:user/iamUser  is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::#########:role/myRole

IAM 用户政策

{
 "Statement": [
   {
     "Effect": "Allow",
     "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
     "Resource": "arn:aws:s3:::*"
   },
   {
     "Effect": "Allow",
     "Action": ["s3:ListBucket" ],
     "Resource": [ "arn:aws:s3:::myBucket"]
   },
   {
     "Effect": "Allow",
     "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectAcl","s3:PutObjectAcl"],
     "Resource": [ "arn:aws:s3:::myBucket/*"]
   },
   {
   "Effect": "Allow",
   "Action": "iam:PassRole",
   "Resource": ["arn:aws:iam::###########:role/myRole"]
   },
   {
   "Effect": "Allow",
   "Action": "sts:AssumeRole",
   "Resource": ["arn:aws:iam::###########:role/myRole"]
   }
 ]
}

角色政策

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "Stmt1420643359000",
     "Effect": "Allow",
     "Action": [
       "s3:*"
     ],
     "Resource": [
       "arn:aws:s3:::myBucket"
     ]
   }
 ]
}
4

2 回答 2

1

Cognito 角色应使用 AssumeRoleWithWebIdentity 调用,而不是 AssumeRole。

您指出这是 JavaScript,您是否查看过使用 Cognito 的 JavaScript SDK 文档

于 2015-01-09T00:57:06.223 回答
0

在角色策略中添加以下行以授予 iam 角色正确的权限。

IAM 角色和 IAM 用户没有相互共享权限。

{
  "Sid": "Stmt1420676933473",
  "Action": [
    "sts:AssumeRole"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:iam::###########:role/myRole"
}
于 2015-01-08T00:33:15.003 回答