AWSSecurityTokenServiceException:被拒绝。用户无权执行sts:AssumeRole
我是aws的新手。我想为aws调用生成临时凭证。为此,我使用Making Requests Using IAM User Temporary Credentials - AWS SDK for Java
中的示例我通过的地方
String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";
尝试担任角色时
stsClient.assumeRole(roleRequest);
收到错误
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 用户:arn:aws:iam ::: user /无权执行:
sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:存取遭拒;请求ID:)
我有 cognito 角色。 我认为角色信任关系设置中的问题。 它看起来像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "<user pool ID>"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
和用户政策(此用户政策已附加也适用于此角色):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<sidId1>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<path>*"
]
},
{
"Sid": "sidId2",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": [
"arn:aws:iam::<ID>:role/<ROLE_NAME>"
]
}
]
}
用户政策有两个警告:
我做错了什么?
UPD 我更改了角色信任关系,只需删除条件:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com",
"AWS": "arn:aws:iam::<ID>:user/<USER>"
},
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
]
}
]
}
现在访问被拒绝错误发生在另一行代码上:
// Verify that assuming the role worked and the permissions are set correctly
// by getting a set of object keys from the bucket.
ObjectListing objects = s3Client.listObjects(bucketName);
收到错误响应:com.amazonaws.services.s3.model.AmazonS3Exception:拒绝访问(服务:Amazon S3;状态代码:403;错误代码:AccessDenied;请求ID:),S3扩展请求ID:
0 个答案:
没有答案
相关问题
- 错误:用户未被授权执行:iam:GetInstanceProfile
- 用户无权执行:ses:VerifyEmailAddress
- AccessDenied:用户无权执行:cloudfront:CreateInvalidation
- 用户无权执行:cloudformation:CreateStack
- AccessDeniedException:用户无权执行:lambda:InvokeFunction
- 用户:anonymous无权执行:es:ESHttpPost on resource:
- 用户无权执行:ce:GetCostAndUsage
- AWSSecurityTokenServiceException:被拒绝。用户无权执行sts:AssumeRole
- 用户无权执行:资源上的SNS:CreateTopic
- 消息”:“”用户:匿名无权执行:iam:PassRole
最新问题
- 我写了这段代码,但我无法理解我的错误
- 我无法从一个代码实例的列表中删除 None 值,但我可以在另一个实例中。为什么它适用于一个细分市场而不适用于另一个细分市场?
- 是否有可能使 loadstring 不可能等于打印?卢阿
- java中的random.expovariate()
- Appscript 通过会议在 Google 日历中发送电子邮件和创建活动
- 为什么我的 Onclick 箭头功能在 React 中不起作用?
- 在此代码中是否有使用“this”的替代方法?
- 在 SQL Server 和 PostgreSQL 上查询,我如何从第一个表获得第二个表的可视化
- 每千个数字得到
- 更新了城市边界 KML 文件的来源?