[英]How can I create profiles in the AWS CloudShell to access different roles?
The new CloudShell service from AWS allows me to get a CLI session directly within the browser. AWS 的新CloudShell服务允许我直接在浏览器中获取 CLI session。 In this session, I am acting under my currently active role:
在这个 session 中,我正在扮演我目前活跃的角色:
$ aws sts get-caller-identity
{
"UserId": "AROA2MDGRZUIRD434HHAF:johndoe",
"Account": "123456789012",
"Arn": "arn:aws:sts::123456789012:assumed-role/myrole/johndoe"
}
I can assume another role from myrole
as expected:我可以按预期从
myrole
担任另一个角色:
$ aws sts assume-role --role-arn arn:aws:iam::123456789012:role/otherRole --role-session-name mySession123
{
"Credentials": {
"AccessKeyId": "ASIA...",
"SecretAccessKey": "...",
"SessionToken": "...",
"Expiration": "2021-04-28T16:29:55+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "AROA...:mySession123",
"Arn": "arn:aws:sts::123456789012:assumed-role/otherRole/mySession123"
}
}
Now I want to configure a CLI profile to use otherRole
.现在我想配置一个 CLI 配置文件以使用
otherRole
。 I tried an entry like this:我尝试了这样的条目:
[profile otherRole]
role_arn = arn:aws:iam::123456789012:role/otherRole
but this causes an error, because I have to specify either a credential_source
or a source_profile
.但这会导致错误,因为我必须指定
credential_source
或source_profile
。
From an EC2 instance with a service role I would set credential_source=Ec2InstanceMetadata
but this doesn't work here.从具有服务角色的 EC2 实例中,我将设置
credential_source=Ec2InstanceMetadata
但这在这里不起作用。 Setting source_profile
to default
also causes an error:将
source_profile
设置为default
也会导致错误:
The source profile "default" must have credentials.
How can I create a CLI-profile within the AWS CloudShell to persistentely assume another role?如何在 AWS CloudShell 中创建 CLI 配置文件以持久承担另一个角色?
I found the answer to be documented here .我发现答案记录在这里。 CloudShell ist not using EC2 instances but is rather running in an ECS based container.
CloudShell不使用 EC2 实例,而是在基于 ECS 的容器中运行。 Thus setting the
credential_source
to EcsContainer
does the trick:因此将
credential_source
设置为EcsContainer
就可以了:
[profile otherRole]
credential_source=EcsContainer
role_arn=arn:aws:iam::123456789012:role/otherRole
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.