我正在尝试使用Lambda函数通过STS假定角色生成临时的S3凭证。
为此,我在帐户上创建了一个具有AmazonS3FullAccess的角色
MyRole:
Type: AWS::IAM::Role
Properties:
RoleName: my-role
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: Allow
Principal:
Service: s3.amazonaws.com
Action: sts:AssumeRole
ManagedPolicyArns:
- arn:aws:iam::aws:policy/AmazonS3FullAccess
对于lambda,我设置了以下附加权限:
- Version: "2012-10-17"
Statement:
- Effect: Allow
Action: sts:AssumeRole
Resource: !GetAtt MyRole.Arn # references the role above
在lambda中,我试图这样调用sts.assumeRole:
const sts = new AWS.STS();
const userId = 'asdf';
const releasePolicy = `{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject"
],
"Resource": [
"arn:aws:s3:::${Bucket}/${userId}/*"
]
}
]
}`;
const role = {
RoleArn: process.env.ROLE,
Policy: releasePolicy,
RoleSessionName: 'client-session',
DurationSeconds: 3600,
};
sts.assumeRole(role, (err, data) => {
if (err) console.log(err);
console.log(data);
});
但是无论我做什么,我似乎总是会遇到相同的错误:
"errorMessage": "User: arn:aws:sts::xxxxx:assumed-role/xxxxx-xxxxx-xxxxx/xxxxx-xxxxx-xxxxx is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxx:role/my-role",
"code": "AccessDenied",