[英]AWS StsClient: User not authorized to perform: sts:AssumeRole on resource
By trying to get s3 object(of account1) from ec2 instance(of account2), the Sts session creation is failed with error: "User arn:aws:sts::99 *804963:assumed-role/i-9B6331541002 f46-us-west is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::85*****15:role/MyS3DataReadRole通过尝试从 ec2 实例(account2)获取 s3 对象(account1),Sts session 创建失败并出现错误:“User arn:aws:sts::99 *804963:assumed-role/i-9B6331541002 f46-us -west无权在资源上执行:sts:AssumeRole:arn:aws:iam::85*****15:role/MyS3DataReadRole
To provide access to fetch s3 object:提供对 fetch s3 object 的访问:
The only suspicious point here is "assumed-role" instead of "role" in the user instance arn.这里唯一可疑的一点是用户实例 arn 中的“承担角色”而不是“角色”。 AFAIK The user arn is calculated automatically by AWS SDK automatically, but I can't understand why "assumed-" prefix is added before the "role".
AFAIK 用户 arn 由 AWS SDK 自动自动计算,但我不明白为什么在“角色”之前添加“assumed-”前缀。 Ie in error message is mentioned: "arn:aws:sts::99 804963:assumed-role/i-9B6331541002 f46-us-west" but in trust relationship I've provided correct arn, ie "arn:aws:sts::99 804963:role/i-9B6331541002 f46-us-west"
即在错误消息中提到:“arn:aws:sts::99 804963:assumed-role/i-9B6331541002 f46-us-west”但在信任关系中我提供了正确的 arn,即“arn:aws:sts: :99 804963:角色/i-9B6331541002 f46-us-west"
You also have to create the assume role policy and attach it to the EC2 instance role (99*804963) so that EC2 instance role can have permissions to assume the role (85*****15:role) which has read permissions for the S3 object.您还必须创建承担角色策略并将其附加到 EC2 实例角色 (99*804963),以便 EC2 实例角色可以拥有承担角色 (85*****15:role) 的权限,该角色具有读取权限S3 object。
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::85*****15:role/MyS3DataReadRole"
}
]
}
Please update the account id in the above policy with actual one.请将上述政策中的帐户 ID 更新为实际帐户 ID。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.