aws sdk 假设角色未生效
[英]aws sdk assumeRole not taking effect
问题描述
ive got the below segment of code running.
我运行了以下代码段。 My calls to aws work fine but now that ive had to switch roles its running into problems making it take effect as it seems im still stuck in the original role.我对 aws 的调用工作正常,但现在我不得不切换角色,它遇到了问题,使其生效,因为我似乎仍然停留在原来的角色中。
public void awsAssumeRoleUsingEnvironmentVariable(Regions region, String roleARN, String roleSessionName) throws Exception {
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new EnvironmentVariableCredentialsProvider())
.withRegion(region)
.build();
GetCallerIdentityRequest request = new GetCallerIdentityRequest();
GetCallerIdentityResult response = stsClient.getCallerIdentity(request);
System.out.println("CURRENT ROLE ASSUMED IS: " + response.toString());
request = new GetCallerIdentityRequest();
System.out.println("EXECUTING ASSUME ROLE");
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName);
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
response = stsClient.getCallerIdentity(request);
System.out.println("CURRENT ROLE ASSUMED IS: " + response.toString());
}
The getCallerIdentity is returning the same role each time getCallerIdentity 每次都返回相同的角色
Edit: Just trying to work it out its definitely an issue with the way I've coded this up by trying to use the credentials returned using the AWSCLI.编辑:只是试图通过尝试使用使用 AWSCLI 返回的凭证来解决它绝对是我编写此代码的方式的问题。 When I do a System.out.println() on the sessionCredentials variable produced when i run my app, and then manually export the returned keys using the below...当我对运行我的应用程序时产生的sessionCredentials变量执行System.out.println()时,然后使用以下命令手动导出返回的密钥...
export AWS_ACCESS_KEY_ID=RoleAccessKeyID
export AWS_SECRET_ACCESS_KEY=RoleSecretKey
export AWS_SESSION_TOKEN=RoleSessionToken
Followed by a..紧随其后的是..
aws sts get-caller-identity
The correct role is returned, so my java code assumeRole seems to be working and getting credentials but its like Im not setting the client correctly so its not using the role its just assumed.返回了正确的角色,所以我的 java 代码假设角色似乎正在工作并获得凭据,但就像我没有正确设置客户端一样,它没有使用它刚刚假设的角色。
Many thanks非常感谢
1 个解决方案
解决方案1
2 已采纳 2020-05-20 02:35:30
As discussed in the comments, use sessionCredentials to create a new BasicSessionCredentials which can be passed to any Resource client.正如评论中所讨论的,使用sessionCredentials创建一个新的BasicSessionCredentials可以传递给任何资源客户端。
Sample code here https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html此处的示例代码https://docs.aws.amazon.com/AmazonS3/latest/dev/AuthUsingTempSessionTokenJava.html
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWSStaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.ObjectListing;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.securitytoken.model.Credentials;
public class MakingRequestsWithIAMTempCredentials {
public static void main(String[] args) {
String clientRegion = "*** Client region ***";
String roleARN = "*** ARN for role to be assumed ***";
String roleSessionName = "*** Role session name ***";
String bucketName = "*** Bucket name ***";
try {
// Creating the STS client is part of your trusted code. It has
// the security credentials you use to obtain temporary security credentials.
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(clientRegion)
.build();
// Obtain credentials for the IAM role. Note that you cannot assume the role of an AWS root account;
// Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName);
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
// Create a BasicSessionCredentials object that contains the credentials you just retrieved.
BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
sessionCredentials.getAccessKeyId(),
sessionCredentials.getSecretAccessKey(),
sessionCredentials.getSessionToken());
// Provide temporary security credentials so that the Amazon S3 client
// can send authenticated requests to Amazon S3. You create the client
// using the sessionCredentials object.
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withCredentials(new AWSStaticCredentialsProvider(awsCredentials))
.withRegion(clientRegion)
.build();
// Verify that assuming the role worked and the permissions are set correctly
// by getting a set of object keys from the bucket.
ObjectListing objects = s3Client.listObjects(bucketName);
System.out.println("No. of Objects: " + objects.getObjectSummaries().size());
}
catch(AmazonServiceException e) {
// The call was transmitted successfully, but Amazon S3 couldn't process
// it, so it returned an error response.
e.printStackTrace();
}
catch(SdkClientException e) {
// Amazon S3 couldn't be contacted for a response, or the client
// couldn't parse the response from Amazon S3.
e.printStackTrace();
}
}
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.