发布临时凭证以使用AssumeRole,现有策略和唯一URL登录AWS管理控制台

时间:2016-05-16 18:15:28

标签: powershell amazon-web-services amazon-iam aws-powershell

我想向现有用户发放临时凭证,允许他们访问AWS管理控制台,方法是为他们提供使用这些临时凭证创建的URL。

我正在关注通过AWS文档提供的书面示例:Example Code Using IAM Query APIs

我编写了以下代码,执行时不会出现任何错误,并且似乎返回会话令牌,这样我就可以正确地形成一个URL来登录。

以下是返回会话令牌和随后的URL的代码:

$accessKeyId = 'accesskeyId' 
$secretAccessKey = 'secretaccessKey'
$region = 'us-east-1'

Set-AWSCredentials -AccessKey $accessKeyId -SecretKey $secretAccessKey

$role = Use-STSRole -RoleSessionName "testSTS" -RoleArn "arn:aws:iam::1234567890:role/adminAccess" -DurationInSeconds 900

$jsonSession = @"
{
    "sessionId": $([string]::Format("{0}", $role.Credentials.AccessKeyId)),
    "sessionKey": $([string]::Format("{0}", $role.Credentials.SecretAccessKey)),
    "sessionToken": $([string]::Format("{0}", $role.Credentials.SessionToken))
}
"@

Add-Type -AssemblyName System.Web
$Encode = [System.Web.HttpUtility]::UrlEncode($jsonSession)

$url = $([string]::Format("https://signin.aws.amazon.com/federation?Action=getSigninToken&Session={0}", $Encode))

$payload = Invoke-WebRequest -Uri $url | ConvertFrom-Json

$issuer = [System.Web.HttpUtility]::UrlEncode("https://1234567890.signin.aws.amazon.com")
$destination = [System.Web.HttpUtility]::UrlEncode("https://console.aws.amazon.com")
$signintoken = [System.Web.HttpUtility]::UrlEncode($payload.SigninToken)

$signInUrl = $([string]::Format("https://signin.aws.amazon.com/federation?Action=login&Issuer={0}&Destination={1}&SigninToken={2}", $issuer, $destination, $signintoken))

write-host $signInUrl

不幸的是,当我在网络浏览器中访问网址时,我收到以下错误"亚马逊网络服务登录:您的登录链接中的凭据无效。请联系您的管理员。"

这是我回复给我的网址的样子,显然我出于安全原因更改了accountid和真实会话令牌:

  

https://signin.aws.amazon.com/federation?Action=login&Issuer=https%3a%2f%2f1234567890.signin.aws.amazon.com&Destination=https%3a%2f%2fconsole.aws.amazon.com&SigninToken=ygQQrk4MYJyX1k30Obmj8p3Clax5OaUzQbjIBQH-ADCYP5QHNj2rsBz4ATlHrHqIJlzoAqyPrd_5OC4fo-BNHGKJkfasfkjz4C4hZnfYH-VmmcHIY8Fan0m38SnxwCome8DZHLe-_8igsGmCWKKTAVen_lp5wA0mUuGIgg9TqPIlb5SNPOVY00oc3dEGZnahcBlOJAmN7DWuv3P61EVipF5w2eoSGIdCyPkhZ2vvFD8orN_UJ4nLogkTAf5rvme1cavj6sqmRUS8iOTyEj8a5mLrmWww__p_J3z4aN4U_qEr3SIi9tCmQMCPB6ktaN_-dMIvJMrx23C11KjCyqixHnFxn60MOBH22bmY-6OFOucA

此外,传递给我的凭据和sessiontoken似乎在使用它们发出API命令时起作用,如下面的代码所示:

$accessKeyId = 'accesskeyId' 
$secretAccessKey = 'secretAccessKey'
$region = 'us-east-1'

Set-AWSCredentials -AccessKey $accessKeyId -SecretKey $secretAccessKey

$role = Use-STSRole -RoleSessionName "testSTS" -RoleArn "arn:aws:iam::1234567890:role/adminAccess" -DurationInSeconds 900

$newAccessKeyId = $role.Credentials.AccessKeyId
$newSecretKey = $role.Credentials.SecretAccessKey
$newSessionToken =  $role.Credentials.SessionToken

Set-AWSCredentials -AccessKey $newAccessKeyId -SecretKey $newSecretKey -SessionToken $newSessionToken 

$secgroups = Get-EC2SecurityGroup

更新 我试图删除"发行人"如下文所建议的参数将其列为可选项。我也尝试添加" SessionType"到原始网址请求sessiontoken,并且登录网址仍然失败并出现相同的错误。

1 个答案:

答案 0 :(得分:2)

我找到了答案,不幸的是,结果并不令人兴奋!

似乎违规代码位于创建用于交换登录令牌的JSON会话字符串的部分中。

我错过了关键值对的双引号“”。

以下是其他任何试图让其工作的代码的更新部分!

$jsonSession = @"
{"sessionId": $([string]::Format('"{0}"', $role.Credentials.AccessKeyId)),
"sessionKey": $([string]::Format('"{0}"', $role.Credentials.SecretAccessKey)),
"sessionToken": $([string]::Format('"{0}"', $role.Credentials.SessionToken))}
"@
相关问题
最新问题