我可以通过另一个aws帐户发布的AWS IAM Role获取凭据吗?

时间:2017-03-28 04:28:41

标签: amazon-web-services amazon-iam aws-sts

不幸的是,我为这项工作丢失了几天。

如何通过IAM角色获取临时凭证?这可能吗?

这是我的场景和代码。(Java上的AWS SDK)

  • AWS账户accessKey和secretKey的STS实例

    AWSSecurityTokenService tokenService = new AWSSecurityTokenServiceClient(new BasicAWSCredentials(awsProperty.getAccess(), awsProperty.getSecret()));
    
  • 制作AssumeRoleRequest

    AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest();
    assumeRoleRequest.setRoleArn(arn);
    assumeRoleRequest.setDurationSeconds(900);
    assumeRoleRequest.setRoleSessionName("for_test");
    assumeRoleRequest.setExternalId("ext_id");
    
  • 获取SessionCredentials

    AssumeRoleResult roleResult =  tokenService.assumeRole(assumeRoleRequest);
    Credentials credentials = roleResult.getCredentials();
    
    AWSCredentials awsCredentials = new BasicSessionCredentials(credentials.getAccessKeyId(), credentials.getSecretAccessKey(), credentials.getSessionToken());
    
  • 工作

    AmazonCloudFrontClient cloudFrontClient = new AmazonCloudFrontClient(awsCredentials);
    

抛出AWSSecurityTokenServiceException

User: arn:aws:iam::{account}:user/{user_name} is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{role_account}:role/{role_name} (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; 

我制定这样的政策。附加到IAM角色和IAM用户。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1490674259000",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

编辑:

我使用IAM策略模拟器测试了策略(已修改)。 选择AWS Security Token Service-AssumeRole IAM Role ARN - 允许。

1 个答案:

答案 0 :(得分:1)

您应该在IAM角色中添加trust relationship以允许它被假定。