1

不幸的是,我为此工作损失了几天。

如何通过 IAM 角色获取临时凭证?这可能吗?

这是我的场景和代码。(Java 上的 AWS 开发工具包)

  • 通过 AWS 账户 accessKey 和 secretKey 的 STS 实例

    AWSSecurityTokenService tokenService = new AWSSecurityTokenServiceClient(new BasicAWSCredentials(awsProperty.getAccess(), awsProperty.getSecret()));

  • 进行 AssumeRoleRequest

    AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
assumeRoleRequest.setRoleArn(arn);
assumeRoleRequest.setDurationSeconds(900);
assumeRoleRequest.setRoleSessionName("for_test");
assumeRoleRequest.setExternalId("ext_id");

  • 获取 SessionCredentials

    AssumeRoleResult roleResult =  tokenService.assumeRole(assumeRoleRequest);
Credentials credentials = roleResult.getCredentials();

AWSCredentials awsCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());

  • 工作

    AmazonCloudFrontClient cloudFrontClient = new AmazonCloudFrontClient(awsCredentials);

它抛出AWSSecurityTokenServiceException

User: arn:aws:iam::{account}:user/{user_name} is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{role_account}:role/{role_name} (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;

我制定这样的政策。附加到 IAM 角色和 IAM 用户。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1490674259000",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

编辑:

我使用 IAM Policy Simulator 测试了策略(已修改)。选择- 它允许AWS Security Token Service-AssumeRoleIAM Role ARN

4

1 回答 1

2

您应该向您的 IAM 角色添加信任关系以允许它被假定。

于 2017-03-28T09:37:56.730 回答