个人中心
gpt4 book ai didi

java - 用户: arn:aws:sts::{account_id}:assumed-role/* 无权对资源执行: sts:AssumeRole: arn:aws:iam::{account_id}:role/*

转载 作者:行者123 更新时间:2023-12-03 07:12:11 27 4
gpt4 key购买 nike

我正在使用 cloudformation 模板创建两个资源 AWS Lambda 函数和角色。
我使用角色 arn 作为环境变量。稍后在 S3 连接的代码中使用它。但出现异常

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 
User: arn:aws:sts::{account_id}:assumed-role/* is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{account_id}:role/* 
Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: ; Proxy: null)

如何在信任关系和内联策略中添加相同的角色?
如何克服上述异常?

其他解决方案值得赞赏

CF 模板片段

Resources:
  LambdaFunctionExecutionRole:
    Type: 'AWS::IAM::Role'
    Properties:
      AssumeRolePolicyDocument:
        Version: '2012-10-17'
        Statement:
          - Effect: Allow
            Principal:
              Service:
                - lambda.amazonaws.com
#             AWS:
#               - {Role ARN}
            Action:
              - 'sts:AssumeRole'
      Path: /
      ManagedPolicyArns:
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole'
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole'
        - 'arn:aws:iam::aws:policy/SecretsManagerReadWrite'
        - 'arn:aws:iam::aws:policy/AmazonS3FullAccess'
        - 'arn:aws:iam::aws:policy/CloudWatchLogsFullAccess'
        - 'arn:aws:iam::aws:policy/AmazonSSMReadOnlyAccess'
        - 'arn:aws:iam::aws:policy/service-role/AWSLambdaRole'
      Policies:
      - PolicyName: CustomLambdaPolicy
        PolicyDocument:
          Statement:
          - Effect: Allow
            Action:
            - 'ec2:Describe*'
            - 'ec2:Get*'
            Resource: '*'

  LambdaFunction:
    Type: AWS::Serverless::Function
    Properties:
      Description: !Ref Name
      FunctionName: !Ref Name
      Handler: com.fileservice::handleRequest
      Role: !GetAtt LambdaFunctionExecutionRole.Arn
      Timeout: 900
      MemorySize: 512
      Environment:
        Variables:
          bucketName: !Ref S3BucketName
          roleARN: !GetAtt LambdaFunctionExecutionRole.Arn
      CodeUri: target/fileservice-1.0.0.jar
      Runtime: java11

AWS S3 连接代码片段

public AmazonS3 connectS3(String roleArn, String region) {
    STSAssumeRoleSessionCredentialsProvider stsAssumeRoleSessionCredentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(
            roleArn, "MySession").withStsClient(AWSSecurityTokenServiceClientBuilder.standard().build())
                    .withRoleSessionDurationSeconds(900).build();

    BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(
            stsAssumeRoleSessionCredentialsProvider.getCredentials().getAWSAccessKeyId(),
            stsAssumeRoleSessionCredentialsProvider.getCredentials().getAWSSecretKey(),
            stsAssumeRoleSessionCredentialsProvider.getCredentials().getSessionToken());

    System.out.println("serviceEndpoint:- "+ String.format("https://s3.%s.amazonaws.com", region) );
    AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(basicSessionCredentials))
                            .withEndpointConfiguration( new EndpointConfiguration( String.format("https://s3.%s.amazonaws.com", region), region) )
                            .build();
    return s3Client;
}

最佳答案 

LambdaFunction:
  Type: AWS::Serverless::Function
  Properties:
    Role: !GetAtt LambdaFunctionExecutionRole.Arn

如果您使用 AWS::Serverless::Function 的角色属性,则无需在 Lambda 代码中再次承担该角色。任何 AWS 开发工具包或 CLI 都会自动检索与该角色关联的凭证。

引用:https://docs.aws.amazon.com/lambda/latest/dg/lambda-intro-execution-role.html (来自文档:您在创建函数时提供此角色,并且 Lambda 在调用您的函数时承担该角色。)

忽略您不应该有理由允许角色自行承担这一事实,使用 CloudFormation,不可能在角色定义本身内引用角色的 ARN。尝试在 LambdaFunctionExecutionRole 的信任策略中使用 !GetAtt LambdaFunctionExecutionRole.Arn 会出现循环依赖错误。

编辑OP现已包含在问题中的代码更改:

而不是:

public AmazonS3 connectS3(String roleArn, String region) {
    STSAssumeRoleSessionCredentialsProvider stsAssumeRoleSessionCredentialsProvider = new STSAssumeRoleSessionCredentialsProvider.Builder(
            roleArn, "MySession").withStsClient(AWSSecurityTokenServiceClientBuilder.standard().build())
                    .withRoleSessionDurationSeconds(900).build();

    BasicSessionCredentials basicSessionCredentials = new BasicSessionCredentials(
            stsAssumeRoleSessionCredentialsProvider.getCredentials().getAWSAccessKeyId(),
            stsAssumeRoleSessionCredentialsProvider.getCredentials().getAWSSecretKey(),
            stsAssumeRoleSessionCredentialsProvider.getCredentials().getSessionToken());

    System.out.println("serviceEndpoint:- "+ String.format("https://s3.%s.amazonaws.com", region) );
    AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(basicSessionCredentials))
                            .withEndpointConfiguration( new EndpointConfiguration( String.format("https://s3.%s.amazonaws.com", region), region) )
                            .build();
    return s3Client;
}

为什么不这样做呢?

public AmazonS3 connectS3(String region) {
   
    AmazonS3 s3Client = AmazonS3ClientBuilder.standard().withRegion(region).build();
    return s3Client;
}

如果您的代码在 AWS Lambda 函数中运行,则无需执行 AssumeRole 操作来获取凭证,您可以直接使用分配给 Lambda 函数的角色来访问 S3。尝试承担角色的唯一原因是它是一个完全独立的角色,并且具有分配给 AWS Lambda 函数的角色所没有的所需权限。

关于java - 用户: arn:aws:sts::{account_id}:assumed-role/* 无权对资源执行: sts:AssumeRole: arn:aws:iam::{account_id}:role/*,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/70667744/

27 4 0
文章推荐: amazon-web-services - 如何构建 AWS CloudFormation 集成 URI,以便 AWS ApiGateway 与 S3、SQS、SNS、DynamoDB 和其他服务集成?
文章推荐: amazon-web-services - S3 通知配置 - 无法验证目标配置
文章推荐: amazon-web-services - 无法从互联网访问 EKS Fargate Pod
文章推荐: amazon-web-services - Lambda 访问互联网的 Cloudformation 导致超时
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
全站热门文章
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com