3

我正在尝试使用带有 SecurityAudit 角色的 Assume Role 功能授予第三方 AWS 账户对我的 AWS 账户的访问权限,类似于此处。我按照这里的解释为第三方账户分配了名为 testing 的角色,我将在其中获得类似这样的信任关系(我还添加了第三方的 IAM 用户,因为它将使用他的访问密钥访问我的 AWS 账户) :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::thirdparty:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

然后我按照这里的代码如下:

AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
                                                    .withCredentials(new ProfileCredentialsProvider())
                                                    .withRegion(clientRegion)
                                                    .build();

            // Obtain credentials for the IAM role. Note that you cannot assume the role of an AWS root account;
            // Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.
            AssumeRoleRequest roleRequest = new AssumeRoleRequest()
                                                    .withRoleArn(roleARN)
                                                    .withRoleSessionName(roleSessionName);
            AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
            Credentials sessionCredentials = roleResponse.getCredentials();

但是当第三方运行代码时,它会收到如下错误:

Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::thirdparty:user/TestOne is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::myaccount:role/testing(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1632)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)

那么如果第三方AWS账户想要使用他的访问密钥对我的账户进行安全审计,应该如何正确配置呢?

4

1 回答 1

2

错误说

arn:aws:iam::thirdparty:user/TestOne

不是能够承担利益的角色。

在您的问题中,您正确地允许arn:aws:iam::thirdparty:root担任该角色。但这仍然没有授予 TestOneIAM 用户执行相同操作的权限。

thirdparty要解决此问题,账户的管理员/根必须明确允许IAM 用户TestOne进入sts:AssumeRole您的账户。

例如,该帐户可以向用户thirdparty添加诸如内联策略TestOne之类的权限。显然,也可以使用客户管理的策略或其他 IAM 机制来完成。但是内联策略似乎是最快和最容易测试的。

于 2020-06-19T22:23:07.637 回答