在AWS QA env中,我能够从参数存储中获取AWS参数。
My username in QA AWS cloud is abc.xyz (firstName=abc, lastName=xyz) I do the following and I am able to get the parameters from AWS parameter store no problem using : RoleArn-QA = "arn:aws:iam::12345:role/mySecrets"
stsClient = boto3.client('sts')
assumedRoleObject = stsClient.assume_role(RoleArn=RoleArn-QA, RoleSessionName=RoleSessionName, ExternalId = ExternalId)
session = Session(aws_access_key_id=assumedRoleObject['Credentials']['AccessKeyId'],
aws_secret_access_key=assumedRoleObject['Credentials']['SecretAccessKey'])
client = session.client('sts')
accessKey = str(assumedRoleObject['Credentials']['AccessKeyId'])
secretKey = str(assumedRoleObject['Credentials']['SecretAccessKey'])
SessionToken = str(assumedRoleObject['Credentials']['SessionToken'])
store = EC2ParameterStore(
aws_access_key_id=accessKey,
aws_secret_access_key=secretKey,
aws_session_token=SessionToken,
region_name=awsRegion)
但是在prod中,给定我在prod中的用户名是:axyz该用户是角色ARN mySecrets或(arn:aws:iam :: 6789:role / mySecrets)的受信任用户
RoleArn-Prod = "arn:aws:iam::6789:role/mySecrets"
当我为给定新RoleArn-Prod的Prod运行类似代码
stsClient = boto3.client('sts')
assumedRoleObject = stsClient.assume_role(RoleArn=RoleArn-Prod, RoleSessionName=RoleSessionName, ExternalId = ExternalId)
session = Session(aws_access_key_id=assumedRoleObject['Credentials']['AccessKeyId'],
aws_secret_access_key=assumedRoleObject['Credentials']['SecretAccessKey'])
client = session.client('sts')
accessKey = str(assumedRoleObject['Credentials']['AccessKeyId'])
secretKey = str(assumedRoleObject['Credentials']['SecretAccessKey'])
SessionToken = str(assumedRoleObject['Credentials']['SessionToken'])
store = EC2ParameterStore(
aws_access_key_id=accessKey,
aws_secret_access_key=secretKey,
aws_session_token=SessionToken,
region_name=awsRegion)
我收到此错误
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::12345:user/abc.xyz is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::6789:role/mySecrets