设置 AWS 凭证以使用 MFA 并能够通过 VScode 中的 AWS Toolkit 将角色作为命名配置文件设置的正确方法是什么?
[英]What is the correct way to set up AWS credentials to work with MFA and be able to assume roles as named profiles via AWS Toolkit in VScode?
问题描述
When using a simple AWS credentials file like this on Ubuntu Linux with credentials file: ~/.aws/credentials
在 Ubuntu Linux 上使用这样的简单 AWS 凭证文件时,凭证文件:~/.aws/credentials
[leigh.m] # let's call this account ID: 1000 for simplicity
AWS_ACCESS_KEY_ID=some_access_key_id
AWS_SECRET_ACCESS_KEY=some_secret_access_key
AWS Toolkit in VSCode works perfectly and I can access AWS resources via VSCode. VSCode 中的 AWS Toolkit 运行良好,我可以通过 VSCode 访问 AWS 资源。
However I need to assume roles cross-accounts (with a source 'root' profile controlling access to the other accounts via roles) which all have MFA set.但是,我需要假设角色跨帐户(使用源“根”配置文件通过角色控制对其他帐户的访问),这些角色都设置了 MFA。
My ~/.aws/config file that facilitates this looks like:我的 ~/.aws/config 文件有助于实现这一点,如下所示:
[profile my-assumed-role-1] # let's say this has account ID: 2000
role_arn=arn:aws:iam::2000:role/AdminRole
source_profile=leigh.m
role_session_name=my-assumed-role-1-session-name
mfa_serial=arn:aws:iam::1000:mfa/leigh.m
duration_seconds=3600
This setup works perfectly well now and I can assume the role for example via CLI I can list buckets in account 2000 by passing that profile, like: aws s3api list-buckets --profile my-assumed-role-1这个设置现在工作得很好,我可以通过 CLI 承担这个角色,我可以通过传递该配置文件来列出账户 2000 中的存储桶,例如: aws s3api list-buckets --profile my-assumed-role-1
However, when I try to access that named profile via AWS Toolkit in VSCode I get the error message in AWS toolkit logs:但是,当我尝试通过 VSCode 中的 AWS Toolkit 访问该命名配置文件时,我在 AWS Toolkit 日志中收到错误消息:
Shared Credentials Profile leigh.m is not valid.共享凭证配置文件 leigh.m 无效。 It will not be used by the toolkit.工具包不会使用它。
Failed to connect with "profile:my-assumed-role-1": Profile leigh.m is not a valid Credential Profile: Profile leigh.m is not supported by the Toolkit.无法与“profile:my-assumed-role-1”连接:配置文件 leigh.m 不是有效的凭据配置文件:工具包不支持配置文件 leigh.m。
It appears to be looking for a Profile 'leigh.m', so I have tried adding to ~/.aws/config this section:它似乎正在寻找配置文件“leigh.m”,因此我尝试将本节添加到 ~/.aws/config:
[profile leigh.m]
mfa_serial=arn:aws:iam::1000:mfa/leigh.m
region=eu-west-1
output=json
I also tried to not use the config file and place everything in credentials file (as it appears to suggest here: https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/mfa-credentials.html )我还尝试不使用配置文件并将所有内容放在凭据文件中(因为它似乎在这里建议: https://docs.aws.amazon.com/toolkit-for-visual-studio/latest/user-guide/mfa -凭据.html )
But still the same issue.但仍然是同样的问题。 Anything I have missed?我错过了什么?
(I did have a look to see if there were any questions already on S/O on correct setup of AWS credentials for AWS Toolkit and MFA (as my AWS credentials and config files work correctly for all other requirements), this was the only question from ~5 years ago: Visual Studio AWS toolkit with multifactor authentication? but did not answer and no questions/ answers on AWS Toolkit, MFA and assuming roles with names profiles) (我确实查看了 S/O 上是否已经存在关于正确设置 AWS Toolkit 和 MFA 的 AWS 凭证的任何问题(因为我的 AWS 凭证和配置文件可以正常工作以满足所有其他要求),这是唯一的问题大约 5 年前: Visual Studio AWS 工具包与多因素身份验证?但没有回答,也没有关于 AWS 工具包、MFA 和假设角色与名称配置文件的问题/答案)
1 个解决方案
解决方案1
0 已采纳 2022-01-03 10:35:16
This is a VSCode AWS Toolkit bug who are releasing a fix for this: https://github.com/aws/aws-toolkit-vscode/issues/2394这是一个 VSCode AWS Toolkit 错误,正在为此发布修复: https://github.com/aws/aws-toolkit-vscode/issues/2394
Summary: AWS Toolkit only works with lowercase keys, so this will not work:摘要:AWS Toolkit 仅适用于小写键,因此这不起作用:
AWS_ACCESS_KEY_ID=some_access_key_id
AWS_SECRET_ACCESS_KEY=some_secret_access_key
When the fix is released it will work with caps & lowercase, of course in the short term just change credentials file to:当修复发布时,它将使用大写和小写,当然在短期内只需将凭据文件更改为:
aws_access_key_id=some_access_key_id
aws_secret_access_key=some_secret_access_key
It will work as expected它将按预期工作
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.