1

在使用 AWS EKS 时,我遇到了角色链接问题,我无法确定链接不正确的位置。

账户 1 中的角色 A 将担任账户 2 中的角色 B。

角色 A 是arn:aws:sts::{ACCOUNT-ID-1}:assumed-role/{ROLE-NAME}/{SESSION-NAME}

角色 B 是一个标准:arn:aws:iam::{ACCOUNT-ID-2}:role/{ROLE-NAME}

角色 A 是一个,assumed-role因为在部署到 EKS 中时,该角色被代入。

角色 A 的策略是

 {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "*"
        }
    ]
}

B 的信任策略是

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "*"
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "aws:PrincipalOrgID": "{ORD}"
        },
        "ArnLike": {
          "aws:PrincipalArn": [
            "arn:aws:sts::{ACCOUNT-ID-1}:assumed-role/{ROLE-NAME}/{SESSION-NAME}"
          ]
        }
      }
    }
  ]
}

* aws:PrincipalOrgID 在验证时正确匹配

角色假设在SpringBoot中进行

  @Bean
  public WebIdentityTokenCredentialsProvider getCredProvider() {
    return WebIdentityTokenCredentialsProvider.builder().roleSessionName("SESSION-NAME").build();
  }

  public AWSCredentialsProvider assumeRole() {
    AWSCredentialsProvider credentials = getCredProvider();
    AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard()
            .withRegion("us-west-1")
            .withCredentials(credentials)
            .build();
    return new STSAssumeRoleSessionCredentialsProvider.Builder("arn:aws:iam::{ACCOUNT-ID-2}:role/{ROLE-NAME}", "role-b-session")
            .withStsClient(sts)
            .build();
  }

此角色假设失败为:

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 
User: arn:aws:sts::{ACCOUNT-ID-1}:assumed-role/{ROLE-NAME}/{SESSION-NAME}
is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{ACCOUNT-ID-2}:role/{ROLE-NAME} 
(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;

我不确定为什么上面会根据配置的信任和权限策略以及 Java 代码返回 AccessDenied。

4

0 回答 0