[英]python boto3 error: Not authorized to perform assumed role on resource
I am trying to move files from a S3 bucket in one account(source account) to S3 bucket in another account(destination account) I am using sagemaker notebook so I have a sagemaker role.我正在尝试将文件从一个帐户(源帐户)中的 S3 存储桶移动到另一个帐户(目标帐户)中的 S3 存储桶我正在使用 sagemaker notebook,所以我有一个 sagemaker 角色。 I also have a role in my team account which has full s3 access and fullsagemaker access and in the trust relationship i have given the destination account role arn and sagemaker role arn.
我在我的团队帐户中也有一个角色,该角色具有完整的 s3 访问权限和 fullsagemaker 访问权限,并且在信任关系中,我已赋予目标帐户角色 arn 和 sagemaker 角色 arn。 The destination account also has my team role arn and sagemaker role arn in its trust policy.
目标账户在其信任策略中还有我的团队角色 arn 和 sagemaker 角色 arn。
I am trying to assume my team role and then I will assume the destination role to copy files.我正在尝试承担我的团队角色,然后我将承担复制文件的目标角色。
import boto3
sts_client = boto3.client('sts')
assumed_teamrole_object = sts_client.assume_role(DurationSeconds=1800,
RoleArn='myteamrole',
RoleSessionName='test1')
assumed_destrole_object = sts_client.assume_role(DurationSeconds=1800,
ExternalId='externalid provided by destination account',
RoleArn='destination account role',
RoleSessionName='test2')
The first three lines execute fine.前三行执行得很好。 when I try to assume the destination role i am getting the error
当我尝试承担目标角色时出现错误
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::role/AmazonSageMaker-ExecutionRole-/SageMaker is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::destinationrole调用 AssumeRole 操作时发生错误 (AccessDenied):用户:arn:aws:sts::role/AmazonSageMaker-ExecutionRole-/SageMaker 无权执行:sts:AssumeRole 资源:arn:aws:iam::destinationrole
Is there something I am missing, what am i doing wrong.有什么我想念的吗,我做错了什么。 Please help.
请帮忙。 I dont have any user , it is just roles
我没有任何用户,它只是角色
Thanks!谢谢!
The error message indicates that you are missing sts:AssumeRole
permissions.该错误消息表明您缺少
sts:AssumeRole
权限。 Your comments indicate that this is the case, as you have only S3 permission for now.您的评论表明情况确实如此,因为您目前只有 S3 权限。
To rectify this, you can add inline policy to AmazonSageMaker-ExecutionRole
role, in the form of:要纠正此问题,您可以采用以下形式向
AmazonSageMaker-ExecutionRole
角色添加内联策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "*"
}
]
}
You can further limit the Resource
to only arn:aws:iam::destinationrole
.您可以进一步将
Resource
限制为仅arn:aws:iam::destinationrole
。 But for tests you can try with *
as Resource
.但是对于测试,您可以尝试使用
*
作为Resource
。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.