0

我正在尝试使用带有 STS 的 java 创建 s3 客户端

 BasicSessionCredentials credentials = getCredentialsOfCurrentRole();
 AWSSecurityTokenService sts = new 
 AWSSecurityTokenServiceClient(credentials).withRegion(REGION);
 AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn(roleArn)
                .withDurationSeconds(getDurationToAssumeRole())
                .withRoleSessionName(sessionName);
        
 AssumeRoleResult assumeRoleResult = sts.assumeRole(assumeRoleRequest);
        // Get temporary credentials of assumed role
        assumedRoleCredentials = assumeRoleResult.getCredentials();

但是在请求 IAM 角色的临时凭证时出现以下异常

Failed to get credentials using STS. Reason: 
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: 
arn:aws:sts::434234520724:assumed-role/myapplication.role.name/kiam-kiam is not authorized to 
perform: sts:AssumeRole on resource: arn:aws:iam::412341320567:role/webapplication.app.com
4

2 回答 2

0

错误消息是不言自明的。运行您的代码的 IAM 角色myapplication.role.name/kiam-kiam无权代入webapplication.app.com角色。

要尝试纠正问题,您可以将内联策略附加到myapplication.role.name角色。该政策可以是:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAssumeRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::412341320567:role/webapplication.app.com"
        }
    ]
}
于 2020-12-16T09:21:07.607 回答
0

看起来您正在使用 Java V1。我将展示 V2 代码来回答这个问题。在您要承担的角色中,例如使用 STS Java V2 API,您需要设置信任关系。在信任关系中,指定要信任的用户。例如:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "<Specify the ARN of your IAM user you are using in this code example>"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }

例如,现在您可以运行 Java 程序来调用假设角色操作。

package com.example.sts;

import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.StsException;
import software.amazon.awssdk.services.sts.model.AssumeRoleResponse;
import software.amazon.awssdk.services.sts.model.Credentials;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.time.format.FormatStyle;
import java.util.Locale;

/**
 * To make this code example work, create a Role that you want to assume.
 * Then define a Trust Relationship in the AWS Console. YOu can use this as an example:
 *
 * {
 *   "Version": "2012-10-17",
 *   "Statement": [
 *     {
 *       "Effect": "Allow",
 *       "Principal": {
 *         "AWS": "<Specify the ARN of your IAM user you are using in this code example>"
 *       },
 *       "Action": "sts:AssumeRole"
 *     }
 *   ]
 * }
 *
 *  For more information, see "Editing the Trust Relationship for an Existing Role" in the AWS Directory Service guide.
 */

    public class AssumeRole {
    
        public static void main(String[] args) {
    
             String roleArn = "arn:aws:iam::000540000000:role/s3role" ; // args[0];
            String roleSessionName = "mysession101"; // args[1];
    
            Region region = Region.US_EAST_1;
            StsClient stsClient = StsClient.builder()
                    .region(region)
                    .build();
    
           try {
            AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
                    .roleArn(roleArn)
                    .roleSessionName(roleSessionName)
                    .build();
    
               AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
    
               Credentials myCreds = roleResponse.credentials();
    
               //Display the time when the temp creds expire
               Instant exTime = myCreds.expiration();
    
               // Convert the Instant to readable date
               DateTimeFormatter formatter =
                       DateTimeFormatter.ofLocalizedDateTime( FormatStyle.SHORT )
                               .withLocale( Locale.US)
                               .withZone( ZoneId.systemDefault() );
    
               formatter.format( exTime );
               System.out.println("The temporary credentials expire on " + exTime );
    
           } catch (StsException e) {
               System.err.println(e.getMessage());
               System.exit(1);
           }
    
       }
    }

如果不设置信任关系,则此代码不起作用。

于 2020-12-16T20:29:27.540 回答