当我使用AWS时,我会切换角色以在控制台中查看客户端数据,并且可以正常工作。
但是,我尝试使用python中的boto3
包来执行此操作,并遇到“拒绝访问”错误。我没有在控制台中添加IAM角色或编辑信任策略的权限,但是我觉得我不需要这样做?
下面的示例代码和错误:
对我的帐户的初始身份验证正常
mfa_TOTP = input("Enter the MFA code: ")
sts_connection = STSConnection()
tempCredentials = sts_connection.get_session_token(
duration=3600,
mfa_serial_number="arn:aws:iam::123xyz123:mfa/my.name",
mfa_token=mfa_TOTP
)
print('MFA authentication successful :)')
Enter the MFA code: 123456
MFA authentication successful :)
尝试承担角色失败
account = df.Account[0]
acct_num = account.split('[')[1].split(']')[0]
role_arn = 'arn:aws:iam::' + str(acct_num) + ':role/this-user'
sts_client = boto3.client('sts')
assumed_role_object = sts_client.assume_role(
RoleArn = role_arn,
RoleSessionName = account.split(' ')[0]
)
ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123xyz123:user/my.name is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::456abc456:role/this-user
答案 0 :(得分:1)
您的政策存在问题,要使sts_client.assume_role
正常运行,您需要允许STS担任Lambda角色。您可以在IAM策略中添加以下代码以使其起作用:
{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::*:role/this-user"
],
"Effect": "Allow"
}
答案 1 :(得分:1)
在担任以下角色时,您必须包括临时证书。
sts_client = boto3.client('sts',
aws_access_key_id= tempCredentials['AWS_ACCESS_KEY_ID'],
aws_secret_access_key= tempCredentials['AWS_SECRET_ACCESS_KEY'],
aws_session_token= tempCredentials['AWS_SESSION_TOKEN']
)
assumed_role_object = sts_client.assume_role(
RoleArn = role_arn,
RoleSessionName = account.split(' ')[0]
)