如何启用对AWS STS AssumeRole的访问

Question

如何启用对AWS STS AssumeRole的访问

Vla*_*gas 18 amazon-s3 amazon-web-services node.js amazon-iam aws-sdk

调用assume roleSTS方法时出错.它表示用户无权sts:AsumeRole在资源上执行xxx.

我做了以下事情:

我创建了一个访问S3存储桶的角色.
我对策略模拟器进行了测试并且工作正常
我创建了一个新组,在其中,我创建了一个新策略,可以在所有资源上启用所有sts操作.
我使用策略模拟器运行测试,以sts为角色,指向在第一步创建的角色的ARN; 它工作正常
我创建了一个新用户,并将其放在步骤3中创建的组中
使用新用户的凭据,我尝试使用sts asume角色获取新凭据,但抛出一个错误,说我的用户无权执行sts:AssumeRole

我究竟做错了什么？

集团政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "some-large-id",
            "Effect": "Allow",
            "Action": [
                "sts:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Run Code Online (Sandbox Code Playgroud)

角色政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "another-large-id",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-name/*"
            ]
        }
    ]
}

Run Code Online (Sandbox Code Playgroud)

最后这样打电话

let policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "new-custom-id",
            "Effect": "Allow",
            "Action": ["s3:PutObject"],
            "Resource": ["arn:aws:s3:::my-bucket-name/*"]
        }
    ]
};

let params = {
    DurationSeconds: 3600, 
    ExternalId: 'some-value', 
    Policy: JSON.stringify(policy), 
    RoleArn: "arn:aws:iam::NUMBER:role/ROLE-NAME", //Cheked, role is the same that step one
    RoleSessionName: this.makeNewSessionId()
};
let sts = new AWS.STS({ apiVersion: '2012-08-10' });

sts.assumeRole(params, (err, data) => {
    if(err) console.log(err);
    else console.log(data);
});

Run Code Online (Sandbox Code Playgroud)

Answer 1

Vla*_*gas 28

缺少一个步骤:在第一步中创建的角色上设置信任关联.无论用户拥有什么特权,如果没有设置信任关系,STS都会拒绝该请求.

IAM角色故障排除解释了它的工作原理.

这帮助了我。它指定如何在 Principal 中设置值。http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_principal.html (4认同)
您可以包括工作信托政策吗？ (2认同)

Answer 2

Mr *_*ial 15

我遇到了同样的问题。我修复的这些步骤如下：

创建新角色附加策略：AmazonS3FullAccess，（复制角色 ARN，在下面的代码中使用）
选择信任关系选项卡 - 编辑信任关系

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::IAM_USER_ID:user/haipv",//the roleARN need to be granted, use * for all
        "Service": "s3.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Run Code Online (Sandbox Code Playgroud)

更新信任关系

示例代码：

import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicAWSCredentials;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.regions.Regions;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.ObjectListing;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.securitytoken.model.Credentials;

public class Main {
    public static void main(String[] args) {
        Regions clientRegion = Regions.AP_SOUTHEAST_1;
        String roleARN = "arn:aws:iam::IAM_USER_ID:role/haipvRole"; // the roleARN coppied above
        String roleSessionName = "haipv-session";
        String bucketName = "haipv.docketName";//file_example_MP4_640_3MG.mp4
         String accesskey = "YOURKEY";
         String secretkey = "YOUR SECRET KEY";
        try {

            BasicAWSCredentials credentials = new BasicAWSCredentials(accesskey, secretkey);

            // Creating the STS client is part of your trusted code. It has
            // the security credentials you use to obtain temporary security credentials.
            AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
                    .withCredentials(new AWSStaticCredentialsProvider(credentials))
                    .withRegion(clientRegion)
                    .build();

            // Obtain credentials for the IAM role. Note that you cannot assume the role of an AWS root account;
            // Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.
            AssumeRoleRequest roleRequest = new AssumeRoleRequest()
                    .withRoleArn(roleARN)
                    .withRoleSessionName(roleSessionName);
            AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
            Credentials sessionCredentials = roleResponse.getCredentials();

            // Create a BasicSessionCredentials object that contains the credentials you just retrieved.
            BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
                    sessionCredentials.getAccessKeyId(),
                    sessionCredentials.getSecretAccessKey(),
                    sessionCredentials.getSessionToken());

            // Provide temporary security credentials so that the Amazon S3 client
            // can send authenticated requests to Amazon S3. You create the client
            // using the sessionCredentials object.
            AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
                    .withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
                    .withRegion(clientRegion)
                    .build();

            // Verify that assuming the role worked and the permissions are set correctly
            // by getting a set of object keys from the bucket.
            ObjectListing objects = s3Client.listObjects(bucketName);
            System.out.println("No. of Objects: " + objects.getObjectSummaries().size());
        }
        catch(AmazonServiceException e) {
            // The call was transmitted successfully, but Amazon S3 couldn't process
            // it, so it returned an error response.
            e.printStackTrace();
        }
        catch(SdkClientException e) {
            // Amazon S3 couldn't be contacted for a response, or the client
            // couldn't parse the response from Amazon S3.
            e.printStackTrace();
        }
    }
}

Run Code Online (Sandbox Code Playgroud)

请参考此链接中的官方文档

这个对我有用。

Answer 3

sma*_*020 13

对于您要承担的角色，例如使用 STS Java V2 API（不是 Node），您需要设置信任关系。在信任关系中，指定信任的用户。例如：

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "<Specify the ARN of your IAM user you are using in this code example>"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }

Run Code Online (Sandbox Code Playgroud)

例如，现在您可以运行 Java 程序来调用假设角色操作。

package com.example.sts;

import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.StsException;
import software.amazon.awssdk.services.sts.model.AssumeRoleResponse;
import software.amazon.awssdk.services.sts.model.Credentials;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.time.format.FormatStyle;
import java.util.Locale;

/**
 * To make this code example work, create a Role that you want to assume.
 * Then define a Trust Relationship in the AWS Console. YOu can use this as an example:
 *
 * {
 *   "Version": "2012-10-17",
 *   "Statement": [
 *     {
 *       "Effect": "Allow",
 *       "Principal": {
 *         "AWS": "<Specify the ARN of your IAM user you are using in this code example>"
 *       },
 *       "Action": "sts:AssumeRole"
 *     }
 *   ]
 * }
 *
 *  For more information, see "Editing the Trust Relationship for an Existing Role" in the AWS Directory Service guide.
 */

public class AssumeRole {

    public static void main(String[] args) {

         String roleArn = "arn:aws:iam::000540000000:role/s3role" ; // args[0];
        String roleSessionName = "mysession101"; // args[1];

        Region region = Region.US_EAST_1;
        StsClient stsClient = StsClient.builder()
                .region(region)
                .build();

       try {
        AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
                .roleArn(roleArn)
                .roleSessionName(roleSessionName)
                .build();

           AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);

           Credentials myCreds = roleResponse.credentials();

           //Display the time when the temp creds expire
           Instant exTime = myCreds.expiration();

           // Convert the Instant to readable date
           DateTimeFormatter formatter =
                   DateTimeFormatter.ofLocalizedDateTime( FormatStyle.SHORT )
                           .withLocale( Locale.US)
                           .withZone( ZoneId.systemDefault() );

           formatter.format( exTime );
           System.out.println("The temporary credentials expire on " + exTime );

       } catch (StsException e) {
           System.err.println(e.getMessage());
           System.exit(1);
       }

   }
}

Run Code Online (Sandbox Code Playgroud)

如果不设置信任关系，此代码将不起作用。

知道为什么我仍然会收到此错误吗？`"AccessDenied: 用户：arn:aws:sts::Account1:assumed-role/aws-discovery-lambda-role/aws-discovery 无权对资源执行：sts:AssumeRole：arn:aws:iam::Account2 :role/DiscoveryAPIRole"` 当我添加相同的可信策略但对于同一帐户中的用户时，它可以工作。 (2认同)

归档时间：	8 年，8 月前
查看次数：	18912 次
最近记录：	6 年，1 月前