我在使用AWS STS服务给临时用户访问控制台时遇到问题。我可以使用IDP和AssumeRoleWithWebIdentityInput方法来检索凭证,并使用aws-cli工具测试凭证,但只是简单地提供重定向到控制台,尽管多次尝试/排列都不起作用。我很简单地收到消息: “您的部分凭据已丢失。请与您的管理员联系。” 注意:与自定义IDP信任的角色的附加策略是AmazonEC2ReadOnlyAccess。注意:我也尝试过GetFederatedToken(),它以相同的方式结束;凭据适用于API,但尝试登录和重定向我无法访问控制台。有人遇到过这个吗? ...这是我在政策中缺少允许控制台访问的东西吗?
我还尝试将策略文档添加到请求中,再次,不再是AmazonEC2ReadOnlyAccess策略的复制和粘贴,但没有骰子
// assume the identity - works fine - i recieve my credentials
// and i can use the access_id, secret and session token placed
// a /.aws/credentials fine
input := &sts.AssumeRoleWithWebIdentityInput{
RoleArn: aws.String("arn:aws:iam::ACCOUNT_ID:role/USER-web-identity"),
RoleSessionName: aws.String(context.email),
WebIdentityToken: aws.String(context.token.Encode()),
DurationSeconds: aws.Int64(900),
}
.. skipping code
// a then try and give the user access to the console as
// described in http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
params := &url.Values{}
params.Add("Action", "getSigninToken")
params.Add("SessionType", "json")
params.Add("Session", string(encoded))
// I receive the signintoken response fine and encode into a
// redirect url to the console
query := &url.Values{}
query.Add("Action", "login")
query.Add("Issuer", "https://127.0.0.1:3000/sso/session")
query.Add("Destination", "https://console.aws.amazon.com")
query.Add("SigninToken", token)
cx.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s?%s", signInURL, query.Encode()))
// get nothing but "Some of you credentials are missing"