[英]How to use use web identify token in aws to authenticate using go sdk
I am trying to write an example of how to use a web identity token with a container to perform EC2 operations.我正在尝试编写一个示例,说明如何将 Web 身份令牌与容器一起使用来执行 EC2 操作。 The container spec contains the service account and has the necessary permission to access the token path and its namespace is a trusted entity in the role.
容器规范包含服务帐户并具有访问令牌路径的必要权限,其命名空间是角色中的受信任实体。
package main
import (
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/credentials/stscreds"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/ec2"
"github.com/aws/aws-sdk-go/service/sts"
)
func main() {
sess, _ := session.NewSession()
config := aws.NewConfig().WithRegion("us-east-1")
stsSTS := sts.New(sess)
roleARN := "arn:aws:iam::1234567:role/s2-p0o5-csi-drivers-ebs-cloud-credentials"
roleProvider := stscreds.NewWebIdentityRoleProviderWithOptions(stsSTS, roleARN, "gosession", stscreds.FetchTokenPath("/build/token"))
creds := credentials.NewCredentials(roleProvider)
credValue, _ := roleProvider.Retrieve()
fmt.Printf("credValue.AccessKeyID: %v\n", credValue.AccessKeyID)
fmt.Printf("credValue.SecretAccessKey: %v\n", credValue.SecretAccessKey)
fmt.Printf("credValue.SessionToken: %v\n", credValue.SessionToken)
config = config.WithCredentials(creds)
nodeID := "i-00843f27cfeb0beff"
svc := ec2.New(sess, config)
request := &ec2.DescribeInstancesInput{
InstanceIds: []*string{&nodeID},
}
result, _ := svc.DescribeInstances(request)
fmt.Printf("result: %v\n", result)
}
The value of result get empty.结果的值为空。 Whereas, i have exported (credValue.AccessKeyID, credValue.SecretAccessKey,credValue.SessionToken) as environment variables and aws cli is giving me output related to describing the instance.
然而,我已将 (credValue.AccessKeyID, credValue.SecretAccessKey,credValue.SessionToken) 导出为环境变量,并且 aws cli 为我提供了与描述实例相关的输出。
I tried various methods like credentials.NewStaticCredentials()
with the credential information, but no luck.我尝试了各种方法,例如使用凭证信息的
credentials.NewStaticCredentials()
,但没有运气。 Can some help share hint on what is going wrong and correct way of doing it.一些人可以帮助分享有关出了什么问题和正确方法的提示。
使用的 instance-id 应该在该区域中可用,否则它将返回一个带有 err == nil 的空映射。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.