堆栈内存溢出
  简体   繁体   English

获取STS代入角色用户标签

[英]Get STS Assume Role User Tags

 原文  2020-09-01 23:24:37       java/ amazon-iam/ aws-sts

问题描述

I am trying to store metadata into an STS "assume role" session so that I can retrieve it when the session user calls my service.我正在尝试将元数据存储到 STS“承担角色”session 中,以便在 session 用户调用我的服务时检索它。

To accomplish this, I am setting a tag during the STS assumeRole creation:为此,我在 STS assumeRole创建期间设置了一个标记:

AWSSecurityTokenService service = ...
AssumeRoleRequest request = new AssumeRoleRequest();
request.setTags(ImmutableList.of(new Tag().withKey("metadataKey").withValue("metadataValue")));
...
service.assumeRole(request);

In my backend service, I receive the username and ARN of the caller which corresponds to the temporary session. However, I am not able to lookup the details of the IAM user (which would contain the tags).在我的后端服务中,我收到对应于临时 session 的调用方的用户名和 ARN。但是,我无法查找 IAM 用户的详细信息(其中包含标签)。

AmazonIdentityManagement iamClient = ...
GetUserRequest request = new GetUserRequest();
request.setUsername(...);
// this next line fails because the temporary user has a colon in the username
iamClient.getUser(request);

How would I retrieve the Tags of a temporary 'Assume Role user'?我将如何检索临时“担任角色用户”的标签?

1 个解决方案

解决方案1
 1 已采纳  2020-09-02 14:16:52

How would I retrieve the Tags of a temporary 'Assume Role user'?我将如何检索临时“担任角色用户”的标签?

This question is based on a misunderstanding of what Tags are used for.这个问题是基于对标签的用途的误解。 Tags are used to further ALLOW / DENY access to resources.标签用于进一步允许/拒绝对资源的访问 They are not used as a canvas for storing metadata.它们不用作存储元数据的 canvas。 This is supported by the AWS documentation: AWS 文档支持这一点:

When you use the session credentials to make a subsequent request, the request context includes the aws:PrincipalTag context key.当您使用 session 凭证发出后续请求时,请求上下文包含 aws:PrincipalTag 上下文键。 You can use the aws:PrincipalTag key in the Condition element of your policies to allow or deny access based on those tags.您可以在策略的 Condition 元素中使用 aws:PrincipalTag 键来允许或拒绝基于这些标签的访问。 See more here 在这里查看更多

Temporary session users cannot be looked up from an IAM ARN as there is no persistent data stored by AWS.无法从 IAM ARN 中查找临时 session 用户,因为 AWS 没有存储持久数据。

However , there is a workaround where you can store limited metadata using the "session name" field.但是,有一种解决方法,您可以使用“会话名称”字段存储有限的元数据。 AWS uses the session name in the ARN, so values can actually be stored as long as they are not sensitive information. AWS 在 ARN 中使用 session 名称,因此实际上可以存储值,只要它们不是敏感信息即可。

During the role creation:角色创建期间:

AWSSecurityTokenService service = ...
request.setRoleSessionName("metadata=test");
service.assumeRole(request);

Finally, the user ARN is in this format and can be read by another service最后,用户ARN是这种格式,可以被其他服务读取

[generatedId]:metadata=test[moreData]

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 AWS:STS 承担角色不适用于用户 - AWS: STS Assume Role not working for user AWS 代入角色 STS - AWS Assume Role STS AWS sts 在一个命令中承担角色 - AWS sts assume role in one command 创建一个函数以在 PowerShell $PROFILE 中担任 AWS STS 角色 - Creating a function to assume an AWS STS role in PowerShell $PROFILE 如何允许 aws 编程用户使用承担角色创建资源 - How to allow aws programatic user to create resources using assume role 如何为 Cognito 担任跨账户角色? - How to Assume a Cross-Account Role for Cognito? AWS GraphQL Appsync - 无法承担角色 - AWS GraphQL Appsync - unable to assume role aws api:假设角色访问被拒绝 - aws api: assume role access denied API 网关无权承担提供的角色 - API Gateway does not have permission to assume the provided role 为什么 sts:AssumeRole 在信任策略中而不是角色的权限策略中? - Why is sts:AssumeRole in the Trust Policy and not the Permissions Policy of a role?
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM