堆栈内存溢出
  简体   繁体   English

使用 IAM 用户的访问密钥为第三方 AWS 账户代入角色失败

[英]Failed to assume role for third-party AWS account using IAM user's access key

 原文  2020-06-19 21:41:40       java/ amazon-web-services/ sts-securitytokenservice/ assume-role

问题描述

I am trying to give a third-party AWS Account access to my AWS Account using Assume Role function with SecurityAudit role, similar to here .我正在尝试使用具有 SecurityAudit 角色的 Assume Role function 授予第三方 AWS 账户对我的 AWS 账户的访问权限,类似于此处 I followed the explanation from this to assign the third-party account the role called testing where I will get the trust relationship something like this (which I also added the IAM user of third party since it will access my AWS account using his access key):我按照这里的解释为第三方账户分配了名为 testing 的角色,我将在其中获得类似这样的信任关系(我还添加了第三方的 IAM 用户,因为它将使用他的访问密钥访问我的 AWS 账户) :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::thirdparty:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

Then I followed the code from here as follow:然后我按照这里的代码如下:

AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
                                                    .withCredentials(new ProfileCredentialsProvider())
                                                    .withRegion(clientRegion)
                                                    .build();

            // Obtain credentials for the IAM role. Note that you cannot assume the role of an AWS root account;
            // Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.
            AssumeRoleRequest roleRequest = new AssumeRoleRequest()
                                                    .withRoleArn(roleARN)
                                                    .withRoleSessionName(roleSessionName);
            AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
            Credentials sessionCredentials = roleResponse.getCredentials();

But when the third party run the code it received an error like this:但是当第三方运行代码时,它会收到如下错误:

Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::thirdparty:user/TestOne is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::myaccount:role/testing(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1632)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)

So if the third party AWS account want to do security audit to my account using his access key, how should it be correctly configured?那么如果第三方AWS账户想要使用他的访问密钥对我的账户进行安全审计,应该如何正确配置呢?

1 个解决方案

解决方案1
 2 已采纳  2020-06-19 22:23:07

The error says that错误说

arn:aws:iam::thirdparty:user/TestOne

is is not able to assume the role of interest.不是能够承担利益的角色。

In your question you correctly allowed the arn:aws:iam::thirdparty:root to assume the role.在您的问题中,您正确地允许arn:aws:iam::thirdparty:root担任该角色。 But this still is not giving TestOne IAM user permissions to do the same.但这仍然没有授予TestOne IAM 用户执行相同操作的权限。

To fix that, the admin/root of the thirdparty account must explicitly allow IAM user TestOne to sts:AssumeRole in your account.要解决此问题, thirdparty账户的管理员/根必须明确允许IAM 用户TestOne在您的账户中使用sts:AssumeRole

Thus the thirdparty account can add such permissions as inline policy to the TestOne user, for example.因此, thirdparty帐户可以将诸如内联策略之类的权限添加到例如TestOne用户。 Obviously it can also be done using customer managed policies, or other IAM mechanisms.显然,也可以使用客户管理的策略或其他 IAM 机制来完成。 But inline policy seems as fastest and easiest to test.但内联策略似乎是最快且最容易测试的。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 在使用分配的 IAM 进行访问的 ec2 上使用 java SDK 在 aws 中扮演不同的角色 - assume different role in aws using java SDK on ec2 which uses assigned IAM for access 使用IAM Role从Java访问AWS S3 - access AWS S3 from java using IAM Role 保留没有ID的第三方类 - Persisting third-party classes with no ID's 使用带有libgdx和GWT的第三方库 - Using a third-party library with libgdx and GWT AWS Lambda:如何使用Java中的IAM角色访问其他账户的存储桶 - AWS Lambda: How to access other account's bucket using IAM Roles in Java 如何使用 java api 获取 AWS 帐户详细信息? 不适用于 IAM 用户 - How to get AWS account details using java api? Not for IAM user AWS SDK 2 代入角色 - AWS SDK 2 assume role 本地设置的 AWS S3 IAM 角色 - AWS S3 IAM role for Local setup 对已弃用的JavaEE模块有选择地使用第三方实现 - Selectively using third-party implementation for deprecated JavaEE modules 火力基地| 使用第三方JWT库验证ID令牌 - firebase | Verify ID tokens using a third-party JWT library
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM