不幸的是,我为这项工作丢失了几天。
如何通过IAM角色获取临时凭证?这可能吗?
这是我的场景和代码。(Java上的AWS SDK)
AWS账户accessKey和secretKey的STS实例
AWSSecurityTokenService tokenService = new AWSSecurityTokenServiceClient(new BasicAWSCredentials(awsProperty.getAccess(), awsProperty.getSecret()));
制作AssumeRoleRequest
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
assumeRoleRequest.setRoleArn(arn);
assumeRoleRequest.setDurationSeconds(900);
assumeRoleRequest.setRoleSessionName("for_test");
assumeRoleRequest.setExternalId("ext_id");
获取SessionCredentials
AssumeRoleResult roleResult = tokenService.assumeRole(assumeRoleRequest);
Credentials credentials = roleResult.getCredentials();
AWSCredentials awsCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
工作
AmazonCloudFrontClient cloudFrontClient = new AmazonCloudFrontClient(awsCredentials);
抛出AWSSecurityTokenServiceException
User: arn:aws:iam::{account}:user/{user_name} is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{role_account}:role/{role_name} (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
我制定这样的政策。附加到IAM角色和IAM用户。
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1490674259000",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"*"
]
}
]
}
编辑:
我使用IAM策略模拟器测试了策略(已修改)。
选择AWS Security Token Service-AssumeRole IAM Role ARN - 允许。