个人中心
gpt4 book ai didi

amazon-web-services - AWSSecurityTokenServiceException : Acced denied. 用户无权执行 sts:AssumeRole

转载 作者:行者123 更新时间:2023-12-05 07:33:17 35 4
gpt4 key购买 nike

我是 aws 的新手。我想为 aws 调用生成临时凭证。为此,我使用了 Making Requests Using IAM User Temporary Credentials - AWS SDK for Java 中的示例

我路过的地方

String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";

尝试承担角色时

stsClient.assumeRole(roleRequest);

得到一个错误

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam:::user/ is not authorized to perform:

sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:

AccessDenied; Request ID:)

我有一个 cognito 角色。我认为问题出在角色信任关系设置中。它看起来像这样:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "<user pool ID>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

用户政策(此用户政策也附加到此角色):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<sidId1>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<path>*"
            ]
        },
        {
            "Sid": "sidId2",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Resource": [
                "arn:aws:iam::<ID>:role/<ROLE_NAME>"
            ]
        }
    ]
}

用户策略有两个警告:

enter image description here我做错了什么?

UPD我更改角色信任关系,只需删除条件:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com",
        "AWS": "arn:aws:iam::<ID>:user/<USER>"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:AssumeRoleWithWebIdentity"
      ]
    }
  ]
}

现在 Access denied 错误发生在另一行代码上:

  // Verify that assuming the role worked and the permissions are set correctly
  // by getting a set of object keys from the bucket.
  ObjectListing objects = s3Client.listObjects(bucketName);

收到错误响应:com.amazonaws.services.s3.model.AmazonS3Exception:拒绝访问(服务:Amazon S3;状态代码:403;错误代码:AccessDenied;请求 ID:),S3 扩展请求 ID:

最佳答案

为了能够代入 IAM 角色,IAM 角色代入角色策略或信任关系必须明确允许委托(delegate)人代入角色,在本例中它不允许。它允许 sts:AssumeRoleWithWebIdentity 具有某些不适用于您的情况的条件。

关于另一个错误,如@user818510 所述,您的角色无权执行 s3:ListBucket 操作。

关于amazon-web-services - AWSSecurityTokenServiceException : Acced denied. 用户无权执行 sts:AssumeRole,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/50694683/

35 4 0
文章推荐: html - 拒绝应用样式,因为不支持 MIME 类型
文章推荐: angularjs - 什么时候不在 AngularJs 中使用 ng-cloak?
文章推荐: python-3.x - 索引错误 :Index 10 is out of bounds for axis 1 with size 10
文章推荐: 使用 Terraform 跨订阅的 Azure Vnet 对等互连
行者123
个人简介

我是一名优秀的程序员,十分优秀!

滴滴打车优惠券免费领取
滴滴打车优惠券
Copyright 2021 - 2024 cfsdn All Rights Reserved 蜀ICP备2022000587号
广告合作:1813099741@qq.com 6ren.com