在我们的应用程序中,我们使用自定义角色访问aws API。在开发人员环境中,我们在app.config中提供访问密钥和密钥,它运行良好。
在prod环境中,我们设置了具有自定义角色必要权限的IAM角色,并使用该IAM角色启动EC2实例。当我们尝试使用代码切换角色时,我们就会收到错误
消息:用户:arn:aws:sts :: XXXXXXXXX:assume-role // i-0490fbbb5ea7df6a8无权执行:sts:AssumeRole on resource:arn:aws:iam :: XXXXXXXXXX:role /
代码:
AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient();
AssumeRoleResponse assumeRoleResponse = await stsClient.AssumeRoleAsync(new AssumeRoleRequest
{
RoleArn = roleArn,
RoleSessionName = sessionName
});
var sessionCredentials = new SessionAWSCredentials(assumeRoleResponse.Credentials.AccessKeyId, assumeRoleResponse.Credentials.SecretAccessKey, assumeRoleResponse.Credentials.SessionToken);
AmazonS3Client s3Client = new AmazonS3Client(sessionCredentials);
政策详情:
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::account_id:role/role-name"
对此的任何帮助都会很棒。提前谢谢。
答案 0 :(得分:3)
我们通过在自定义角色的受信任关系中添加以下策略来解决此问题。
{
"Effect": "Allow",
"Principal": {
"AWS": "<ARN of role that has to assume the custom role>"
},
"Action": "sts:AssumeRole"
}