我已经有aws在.aws / credetials文件中担任角色凭据。 如何使用它来创建sts或dynamodb,例如:
const { DynamoDB } = require('aws-sdk');
const { DocumentClient } = DynamoDB;
const dynamo = new DynamoDB({
endpoint: process.env.AWS_ENDPOINT,
region: process.env.AWS_REGION,
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
secretToken: process.env.aws_security_token
});
我是说我出错了:
root@myubuntu:~/work/contacts_api# node ./seed/runner.js
```
检查“联系人”表是否存在 {UnrecognizedClientException:请求中包含的安全令牌无效。 在Request.extractError(/root/work/contacts_api/node_modules/aws-sdk/lib/protocol/json.js:51:27) 在Request.callListeners(/root/work/contacts_api/node_modules/aws-sdk/lib/sequential_executor.js:106:20) 在Request.emit(/root/work/contacts_api/node_modules/aws-sdk/lib/sequential_executor.js:78:10) 在Request.emit(/root/work/contacts_api/node_modules/aws-sdk/lib/request.js:683:14) 在Request.transition(/root/work/contacts_api/node_modules/aws-sdk/lib/request.js:22:10) 在AcceptorStateMachine.runTo(/root/work/contacts_api/node_modules/aws-sdk/lib/state_machine.js:14:12) 在/root/work/contacts_api/node_modules/aws-sdk/lib/state_machine.js:26:10 应要求。 (/root/work/contacts_api/node_modules/aws-sdk/lib/request.js:38:9) 应要求。 (/root/work/contacts_api/node_modules/aws-sdk/lib/request.js:685:12) 在Request.callListeners(/root/work/contacts_api/node_modules/aws-sdk/lib/sequential_executor.js:116:18) 消息:“请求中包含的安全令牌无效。”, 代码:“ UnrecognizedClientException”, 时间:2019-01-07T05:39:54.907Z, requestId:“ A5CFV62P0TGHJH7VDIBSL0JRC3VV4KQNSO5AEMVJF66Q9ASUAAJG”, statusCode:400, 可重试:错误, retryDelay:5.013458338738063}
```
如果我想使用mfa凭据,我想知道初始凭据的正确方法。
答案 0 :(得分:0)
我猜这里的错误应该给你一个线索:
"The security token included in the request is invalid"
您尝试打印出环境值
env | grep aws_security_token
如果为空,则必须在运行代码之前设置该值。
此外,我注意到您的其他 aws 键都是大写字母,而您的 aws_security_token 都是小写字母。
答案 1 :(得分:0)
我怀疑 secretToken 不是一个东西。下面是两个如何完成的示例(我以前是如何完成的)。
也就是说,我会鼓励尽可能构建和使用 Credentials(第二个示例),但如果您想内联进行,那也应该可行。
/** assume a role and build a DocumentClient object to make a single scan **/
;(async () => {
const sts = new AWS.STS()
const assumeRole = await sts
.assumeRole({
RoleArn: process.env.ROLE_ARN,
RoleSessionName: process.env.ROLE_SESSION_NAME,
})
.promise()
const dynamodb = new AWS.DynamoDB.DocumentClient({
region: process.env.REGION,
credentials: {
accessKeyId: assumeRole.Credentials?.AccessKeyId,
secretAccessKey: assumeRole.Credentials?.SecretAccessKey,
sessionToken: assumeRole.Credentials?.SessionToken,
},
})
const scan = await dynamodb
.scan({
TableName: process.env.TABLE_NAME,
})
.promise()
console.log(scan)
})()
/**
* assume a role and build a Credentials object and use it
* to build a DocumentClient object to make a single scan
**/
;(async () => {
const sts = new AWS.STS()
const assumeRole = await sts
.assumeRole({
RoleArn: process.env.ROLE_ARN,
RoleSessionName: process.env.ROLE_SESSION_NAME,
})
.promise()
const credentials = new AWS.Credentials({
accessKeyId: assumeRole.Credentials?.AccessKeyId,
secretAccessKey: assumeRole.Credentials?.SecretAccessKey,
sessionToken: assumeRole.Credentials?.SessionToken,
})
const dynamodb = new AWS.DynamoDB.DocumentClient({
region: process.env.REGION,
credentials: credentials,
})
const scan = await dynamodb
.scan({
TableName: process.env.TABLE_NAME,
})
.promise()
console.log(scan)
})()