1

当我使用 AWS 时,我会切换角色以在控制台中查看客户端数据,并且工作正常。

角色切换示例

但是,我正在尝试使用boto3python 中的包来执行此操作并遇到“拒绝访问”错误。我无权在控制台中添加 IAM 角色或编辑信任策略,但我觉得我不需要这样做?

下面的示例代码和错误:

我的帐户的初始身份验证工作正常

mfa_TOTP = input("Enter the MFA code: ")

sts_connection = STSConnection()

tempCredentials = sts_connection.get_session_token(
    duration=3600,
    mfa_serial_number="arn:aws:iam::123xyz123:mfa/my.name",
    mfa_token=mfa_TOTP
)
print('MFA authentication successful :)')

Enter the MFA code: 123456
MFA authentication successful :)

尝试担任角色失败

account = df.Account[0]
acct_num = account.split('[')[1].split(']')[0]

role_arn = 'arn:aws:iam::' + str(acct_num) + ':role/this-user'

sts_client = boto3.client('sts')
assumed_role_object = sts_client.assume_role(
    RoleArn = role_arn,
    RoleSessionName = account.split(' ')[0]
)

ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123xyz123:user/my.name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::456abc456:role/this-user
4

2 回答 2

1

您的策略存在问题,要使其sts_client.assume_role正常工作,您需要Allow STS Assume in your Lambda role。您可以在 IAM 策略中添加以下代码以使其正常工作:

{
  "Action": "sts:AssumeRole",
  "Resource": [
    "arn:aws:iam::*:role/this-user"
  ],
  "Effect": "Allow"
}
于 2020-08-21T14:40:11.767 回答
1

担任以下角色时,您必须包括临时凭证。

sts_client = boto3.client('sts', 
   aws_access_key_id= tempCredentials['AWS_ACCESS_KEY_ID'], 
   aws_secret_access_key= tempCredentials['AWS_SECRET_ACCESS_KEY'], 
   aws_session_token= tempCredentials['AWS_SESSION_TOKEN']
)

assumed_role_object = sts_client.assume_role(
   RoleArn = role_arn,
   RoleSessionName = account.split(' ')[0]
)
于 2020-08-21T14:42:03.693 回答