Question

我们有一个多账户AWS设置。每个客户负责一个不同的发展通道（DEV，QA，生产）。

我们还使用ADFS对这些不同的通道进行身份验证。

我将通过以下aws cli调用来设置凭据

aws-adfs login --profile=master --adfs-host=adfs.whatever.com --no-ssl-verification

生成的凭据文件如下所示

[master]
aws_access_key_id = key_id
aws_secret_access_key = access_key
aws_session_token = session_token
aws_security_token = security_token

其他泳道在配置文件中被标识为配置文件

[default]

[profile master]
region = us-west-2
output = text
adfs_config.ssl_verification = False
adfs_config.role_arn = arn:aws:iam::XXXXXXXXX:role/AD_DeveloperRole
adfs_config.adfs_host = adfs.whatever.com
adfs_config.adfs_user = me@whatever.com
adfs_config.session_duration = 3600

[profile development]
role_arn = arn:aws:iam::YYYYYYY:role/DeveloperRole
source_profile = master
region = us-west-2
output = json
adfs_config.ssl_verification = False
adfs_config.role_arn = arn:aws:iam::XXXXXXXXX:role/AD_DeveloperRole
adfs_config.adfs_host = adfs.whatever.com
adfs_config.adfs_user = me@whatever.com
adfs_config.session_duration = 3600

使用aws cli，我可以通过其他个人资料访问这些其他车道。这是一个例子

aws --profile=development ssm get-parameters-by-path --path /SOME_PARAMETER

但是，我想用代码来做到这一点。这就是我使用AWS-JAVA-SDK复制它的方式

String region = new AwsProfileRegionProvider("profile development").getRegion();
CsmConfigurationProvider csmConfig = new ProfileCsmConfigurationProvider("profile development");
AWSCredentialsProvider credentialsProvider = new ProfileCredentialsProvider("master");

AWSSimpleSystemsManagement ssm = AWSSimpleSystemsManagementClientBuilder.standard()
.withCredentials(credentialsProvider)
.withRegion(region)
.withClientSideMonitoringConfigurationProvider(csmConfig)
.build();

GetParametersByPathRequest request = new GetParametersByPathRequest();
request.setPath("/SOME_PARAMETER");
GetParametersByPathResult result = ssm.getParametersByPath(request);

但是我收到错误消息

com.amazonaws.services.simplesystemsmanagement.model.AWSSimpleSystemsManagementException: User: arn:aws:sts::XXXXXXXXX:assumed-role/AD_DeveloperRole/me@whatever.com is not authorized to perform: ssm:GetParametersByPath on resource: arn:aws:ssm:us-west-2:XXXXXXXXX:parameter/SOME_PARAMETER (Service: AWSSimpleSystemsManagement; Status Code: 400; Error Code: AccessDeniedException; Request ID: ***********)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1660) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1324) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1074) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:745) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:719) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:701) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:669) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:651) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:515) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:8126) ~[aws-java-sdk-ssm-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8095) ~[aws-java-sdk-ssm-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8084) ~[aws-java-sdk-ssm-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParametersByPath(AWSSimpleSystemsManagementClient.java:5021) ~[aws-java-sdk-ssm-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParametersByPath(AWSSimpleSystemsManagementClient.java:4992) ~[aws-java-sdk-ssm-1.11.415.jar:na]

您会注意到它正在尝试查找资源： arn：aws：ssm：us-west-2：XXXXXXXXX：parameter / SOME_PARAMETER 而不是资源： arn：aws ：ssm：us-west-2：YYYYYYY：parameter / SOME_PARAMETER

如果我使用配置文件“开发”而不是“主”更新ProfileCredentialsProvider，则会收到错误消息

java.lang.IllegalArgumentException: No AWS profile named 'development'
    at com.amazonaws.auth.profile.ProfilesConfigFile.getCredentials(ProfilesConfigFile.java:158) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.auth.profile.ProfileCredentialsProvider.getCredentials(ProfileCredentialsProvider.java:161) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1186) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:776) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:726) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:719) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:701) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:669) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:651) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:515) ~[aws-java-sdk-core-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:8126) ~[aws-java-sdk-ssm-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8095) ~[aws-java-sdk-ssm-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8084) ~[aws-java-sdk-ssm-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParametersByPath(AWSSimpleSystemsManagementClient.java:5021) ~[aws-java-sdk-ssm-1.11.415.jar:na]
    at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParametersByPath(AWSSimpleSystemsManagementClient.java:4992) ~[aws-java-sdk-ssm-1.11.415.jar:na]

我需要在Java代码中进行哪些更改，以便它可以访问存储在YYYYYYY中而不是XXXXXXXXX的参数？

Answer 1

在这里aws-cli-role-assumption-profiles-are-incompatible-with-sdk

找到了答案

显然，这已在AWS Java SDK 2.x中修复。

AWS Java SDK按配置文件调用

1 个答案: