我正在尝试在其他帐户中担任角色以授予我读取权限。角色 (ROLE_IN_TARGET_ACCOUNT) 具有我需要的权限,但是我收到一个错误,即我的用户 (SOURCE_USER) 不允许担任该角色。
ROLE_IN_TARGET_ACCOUNT 也有以下信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNTID:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
以下策略已添加到 SOURCE_ACCOUNTID 中的 IAM 用户组
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT"
}
SOURCE_USER 是该用户组的成员。所以 ROLE_IN_TARGET_ACCOUNT 应该信任 SOURCE_USER,并且 SOURCE_USER 应该有权承担 ROLE_IN_TARGET_ACCOUNT。
但是,我得到了错误
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT
我在这里想念什么?