AWS Lambda SQS 触发器承担角色
[英]AWS Lambda SQS Trigger Assume role
问题描述
I have been given a task to consume messages from an SQS queue from an external company which returns me a bucket and key from which I am to copy a file.
我接到了一项任务,要使用来自外部公司的 SQS 队列中的消息,这会向我返回一个存储桶和密钥,我将从中复制文件。 This external company has set up a role that I can assume that gives me access to the SQS queue and the S3 bucket, but I have a problem.这家外部公司设置了一个我可以承担的角色,让我可以访问 SQS 队列和 S3 存储桶,但我遇到了问题。 How do I assume that external role for my Lambda trigger?我如何为我的 Lambda 触发器承担外部角色? Is this even possible?这可能吗?
1 个解决方案
解决方案1
2 2020-11-11 22:11:09
You'll assume the role in your Lambda and then interact with the external AWS account using temporary credentials.您将担任 Lambda 中的角色,然后使用临时凭证与外部 AWS 账户进行交互。
Example with python.以 python 为例。
import boto3
sts = boto3.client('sts')
role = sts.assume_role(
RoleArn="arn:aws:iam::EXTERNAL_COMPANY_ACCOUND_ID:role/EXTERNAL_COMPANY_ROLE",
ExternalId="EXTERNAL_ID_CONFIGURED",
RoleSessionName="RoleSessionNameYouWant")
credentials = role['Credentials']
# Interact with resoures from the external company account
external_session = boto3.Session(
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'])
s3 = external_session.client('s3'),
sqs = external_session.client('sqs')
An external ID is optional but important when roles are given to third-parties to avoid the confused deputy problem .外部 ID 是可选的,但在将角色授予第三方时很重要,以避免代理人混淆问题。 Ask the third-party to configure an external id for your role if that wasn't done.如果未完成,请第三方为您的角色配置外部 ID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.