我正在关注一个教程,在该教程中我在EC2实例上担任角色,因此它可以访问服务。我正在遵循本教程(https://medium.com/swlh/aws-iam-assuming-an-iam-role-from-an-ec2-instance-882081386c49),但是当我开始运行“ aws s3 ls”时,我仍然停留在cli部分。只是我知道它有效,所以我向AssumedRole授予了对s3的所有访问权限。
这是我的设置:
ImplicitRole // will be attached to EC2
policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxx:role/*"
}
]
}
AssumedRole // will be the role assumed once logged in to EC2
policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:*"
],
"Resource": [
"arn:aws:s3:::*"
]
}
]
}
会发生什么事,我将在cli上运行以下内容
aws sts assume-role --role-arn arn:aws:iam::****:role/AssumedRole --role-session-name test-session
然后我将获得证书
{
"Credentials": {
"AccessKeyId": "key",
"SecretAccessKey": "secret",
"SessionToken": "longtoken",
"Expiration": "2020-07-08T07:29:51+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AKDIEEOOKDLKSDJFDJ:test-session",
"Arn": "arn:aws:sts::xxxx:assumed-role/AssumedRole/test-session"
}
}
然后将更新变量,例如:设置AWS_ACCESS_KEY_ID = XXXX等
完成后,我将运行以下命令,但它会给我ListObject AccessDenied
aws s3 ls s3://bucket
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied