我正在尝试获取临时凭据以将文件上传到S3存储桶。我使用IAM用户的凭据来调用STS assumeRole方法。角色是通过AWS Cognito创建的。以下是IAM用户策略和角色策略
错误消息:
POST https://sts.amazonaws.com/ 403 (Forbidden)
User: arn:aws:iam::########:user/iamUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::#########:role/myRole
IAM用户政策
{
"Statement": [
{
"Effect": "Allow",
"Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
"Resource": "arn:aws:s3:::*"
},
{
"Effect": "Allow",
"Action": ["s3:ListBucket" ],
"Resource": [ "arn:aws:s3:::myBucket"]
},
{
"Effect": "Allow",
"Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectAcl","s3:PutObjectAcl"],
"Resource": [ "arn:aws:s3:::myBucket/*"]
},
{
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": ["arn:aws:iam::###########:role/myRole"]
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": ["arn:aws:iam::###########:role/myRole"]
}
]
}
角色政策
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1420643359000",
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::myBucket"
]
}
]
}
答案 0 :(得分:0)
在角色政策中添加以下行,为iam角色提供正确的权限。
IAM角色和IAM用户没有相互分享权限。
{
"Sid": "Stmt1420676933473",
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::###########:role/myRole"
}
答案 1 :(得分:0)
Cognito角色是用AssumeRoleWithWebIdentity调用的,而不是AssumeRole。
您表示这是JavaScript,您是否看过JavaScript SDK docs for using Cognito?