AWS Lambda:如何使用Java中的IAM角色访问其他帐户的存储桶

时间:2016-01-18 15:49:04

标签: java amazon-web-services amazon-s3 aws-lambda

我有2个帐户

帐户A和帐户B

在帐户A中,我已部署(Amazon S3)我的Lambda函数。

import com.amazonaws.services.lambda.runtime.Context;
import com.amazonaws.services.lambda.runtime.RequestHandler;

public class LambdaFunctionHandler implements RequestHandler<Request, Response> {

    public Response handleRequest(Request request, Context context) {
        String greetingString = String.format("Hello %s %s.",
                request.firstName, request.lastName);
        //Here I need to get the Account B's bucket info
        return new Response(greetingString);
    }

}

在帐户A中,我正在创建IAM角色'my-lambda',同样映射到用户X

在帐户B中,我创建了授予用户权限的策略“my-lambda” 如何使用用户X的IAM角色???

获取帐户B的存储桶信息

注意:如果我直接提供凭据,我可以获取帐户B的信息桶信息

AWSCredentials longTermCredentials_ = new PropertiesCredentials(LambdaFunctionHandler .class.getResourceAsStream("/resources/"+"AwsCredentials.properties"));
AWSSecurityTokenServiceClient stsClient = new AWSSecurityTokenServiceClient(longTermCredentials_);
GetSessionTokenRequest getSessionTokenRequest = new GetSessionTokenRequest();
GetSessionTokenResult sessionTokenResult = stsClient.getSessionToken(getSessionTokenRequest);
Credentials sessionCredentials = sessionTokenResult.getCredentials();
BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(sessionCredentials.getAccessKeyId(),sessionCredentials.getSecretAccessKey(),sessionCredentials.getSessionToken());
AmazonS3Client s3Client = new AmazonS3Client(basicSessionCredentials);
ListObjectsRequest listObjectsRequest = new ListObjectsRequest().withBucketName("bucketName");
ObjectListing objectListing;
 do {
            objectListing = s3.listObjects(listObjectsRequest);
            for (S3ObjectSummary objectSummary : objectListing
                    .getObjectSummaries()) {
                String key = objectSummary.getKey();

            }
            listObjectsRequest.setMarker(objectListing.getNextMarker());
        } while (objectListing.isTruncated());

1 个答案:

答案 0 :(得分:0)

您可以使用STSAssumeRoleSessionCredentialsProvider类根据您的长期凭据来获取角色,并获取S3客户端的临时凭据。

AWSCredentials longTermCredentials_ =  ...
STSAssumeRoleSessionCredentialsProvider roleCredsProvider = 
    new STSAssumeRoleSessionCredentialsProvider(
        longTermCredentials_, 
        "my_lambda", 
        "BucketListSession");
AmazonS3Client s3Client = new AmazonS3Client(roleCredsProvider);
相关问题
最新问题