我是aws的新手。我想为aws调用生成临时凭证。为此,我使用Making Requests Using IAM User Temporary Credentials - AWS SDK for Java
中的示例我通过的地方
String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";
尝试担任角色时
stsClient.assumeRole(roleRequest);
收到错误
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 用户:arn:aws:iam ::: user /无权执行:
sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:
存取遭拒;请求ID:)
我有 cognito 角色。 我认为角色信任关系设置中的问题。 它看起来像这样:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "<user pool ID>"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
和用户政策(此用户政策已附加也适用于此角色):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<sidId1>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<path>*"
]
},
{
"Sid": "sidId2",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": [
"arn:aws:iam::<ID>:role/<ROLE_NAME>"
]
}
]
}
用户政策有两个警告:
UPD 我更改了角色信任关系,只需删除条件:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com",
"AWS": "arn:aws:iam::<ID>:user/<USER>"
},
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
]
}
]
}
现在访问被拒绝错误发生在另一行代码上:
// Verify that assuming the role worked and the permissions are set correctly
// by getting a set of object keys from the bucket.
ObjectListing objects = s3Client.listObjects(bucketName);
收到错误响应:com.amazonaws.services.s3.model.AmazonS3Exception:拒绝访问(服务:Amazon S3;状态代码:403;错误代码:AccessDenied;请求ID:),S3扩展请求ID: