AWS API:假定角色访问被拒绝

时间:2020-08-21 14:21:07

标签: python amazon-web-services boto3 assume-role

当我使用AWS时,我会切换角色以在控制台中查看客户端数据,并且可以正常工作。

example of role switch

但是,我尝试使用python中的boto3包来执行此操作,并遇到“拒绝访问”错误。我没有在控制台中添加IAM角色或编辑信任策略的权限,但是我觉得我不需要这样做?

下面的示例代码和错误:

对我的帐户的初始身份验证正常

mfa_TOTP = input("Enter the MFA code: ")

sts_connection = STSConnection()

tempCredentials = sts_connection.get_session_token(
    duration=3600,
    mfa_serial_number="arn:aws:iam::123xyz123:mfa/my.name",
    mfa_token=mfa_TOTP
)
print('MFA authentication successful :)')
Enter the MFA code: 123456
MFA authentication successful :)

尝试承担角色失败

account = df.Account[0]
acct_num = account.split('[')[1].split(']')[0]

role_arn = 'arn:aws:iam::' + str(acct_num) + ':role/this-user'

sts_client = boto3.client('sts')
assumed_role_object = sts_client.assume_role(
    RoleArn = role_arn,
    RoleSessionName = account.split(' ')[0]
)
ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123xyz123:user/my.name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::456abc456:role/this-user

2 个答案:

答案 0 :(得分:1)

您的政策存在问题,要使sts_client.assume_role正常运行,您需要允许STS担任Lambda角色。您可以在IAM策略中添加以下代码以使其起作用:

{
  "Action": "sts:AssumeRole",
  "Resource": [
    "arn:aws:iam::*:role/this-user"
  ],
  "Effect": "Allow"
}

答案 1 :(得分:1)

在担任以下角色时,您必须包括临时证书。

sts_client = boto3.client('sts', 
   aws_access_key_id= tempCredentials['AWS_ACCESS_KEY_ID'], 
   aws_secret_access_key= tempCredentials['AWS_SECRET_ACCESS_KEY'], 
   aws_session_token= tempCredentials['AWS_SESSION_TOKEN']
)

assumed_role_object = sts_client.assume_role(
   RoleArn = role_arn,
   RoleSessionName = account.split(' ')[0]
)
相关问题