[英]AWS cli: not authorized to perform: sts:AssumeRole on resource
I have an AWS account in which I am assuming a role named A( role-A
), from that role I have created another role named B( role-B
) through the web console and attached the administrator policy to that role我有一个 AWS 账户,我在其中承担一个名为 A( role-A
) 的角色,我从该角色通过 Web 控制台创建了另一个名为 B( role-B
) 的role-B
,并将管理员策略附加到该角色
Here is cli configuration这是cli配置
[default]
aws_access_key_id = <>
aws_secret_access_key = <>
region = eu-central-1
[role-B]
role_arn = arn:aws:iam::<id>:role/ics-role
mfa_serial = arn:aws:iam::<id>:mfa/<name>
external_id = <name>
source_profile = default
role-B
which I have created from role-A
role-B
我从创建role-A
When i try to get the role details当我尝试获取角色详细信息时
aws --profile role-B sts get-caller-identity
I am getting the following error我收到以下错误
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::<>:user/<> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<>:role/ics-role调用 AssumeRole 操作时发生错误 (AccessDenied):用户:arn:aws:iam::<>:user/<> 无权执行:sts:AssumeRole 资源:arn:aws:iam::<>:角色/ics-角色
You'll need to check the trust relationship policy document of the iam role to confirm that your user is in it.您需要检查 iam 角色的信任关系策略文档以确认您的用户在其中。
Additionally make sure that the iam user has explicit permissions allowing them to assume that role.此外,请确保 iam 用户具有允许他们担任该角色的明确权限。
The trust relationship should look something like this:信任关系应如下所示:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/person",
]
},
"Action": "sts:AssumeRole"
}
]
}
My issue was I had a condition set in the policy json.我的问题是我在策略 json 中设置了一个条件。
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000:dave"
},
"Action": "sts:AssumeRole",
"Condition": {
// Condition set here
}
}]
}
I removed the condition and it works now no issues.我删除了条件,现在可以正常工作了。
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::000000000:dave"
},
"Action": "sts:AssumeRole"
}]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.