我在 ec2 实例上有一个角色,该角色具有不同角色的角色权限。我设置了信任关系,所以这不应该是一个问题。我有这个代码来获取 IAM 凭证:
public class AwsCredentialsHelper {
private static final String ROLE_ARN_PROPERTY = "aws.role.arn";
private static final Logger logger = LogManager.getLogger("InfraLogger");
private AwsCredentialsHelper() {
}
public static AWSCredentialsProvider getCredentialsProvider(String clientId, AWSCredentialsProvider defaultProvider) {
String roleArn = getRoleArnProperty();
if (roleArn != null) {
if (logger.isDebugEnabled()) {
logger.debug("Using assume role credentials provider for role {}", roleArn);
}
return new STSAssumeRoleSessionCredentialsProvider.Builder(roleArn, clientId).build();
} else {
if (logger.isDebugEnabled()) {
logger.debug("Using default credentials provider");
}
return defaultProvider;
}
}
这对我来说失败了:
18:59:47.516 [kpl-daemon-0000] DEBUG com.amazonaws.auth.AWSCredentialsProviderChain - Unable to load credentials from EnvironmentVariableCredentialsProvider: Unable to load AWS credentials from environment variables (AWS_ACCESS_KEY_ID (or AWS_ACCESS_KEY) and AWS_SECRET_KEY (or AWS_SECRET_ACCESS_KEY))
18:59:47.516 [kpl-daemon-0000] DEBUG com.amazonaws.auth.AWSCredentialsProviderChain - Unable to load credentials from SystemPropertiesCredentialsProvider: Unable to load AWS credentials from Java system properties (aws.accessKeyId and aws.secretKey)
18:59:47.516 [main] DEBUG org.springframework.jmx.export.annotation.AnnotationMBeanExporter - Unregistering JMX-exposed beans
18:59:47.523 [kpl-daemon-0000] DEBUG com.amazonaws.auth.AWSCredentialsProviderChain - Unable to load credentials from com.amazonaws.auth.profile.ProfileCredentialsProvider@c745363: profile file cannot be null
看起来它只关注前三个地方,但从未超越过下一个(包括 iam 角色)。我们显然没有凭据文件设置。对我来说,相同的确切代码在不同的设置中确实有效,所以如果我做得对,我会感到困惑吗?