无法使用 STS 凭据上传到 S3
[英]Unable to upload to S3 using STS credentials
问题描述
Describe the bug
描述错误
I'm trying to integrate STS assumeRole based authentication to upload my files to S3 buckets...我正在尝试集成基于 STS assumeRole 的身份验证以将我的文件上传到 S3 存储桶...
Code Snippet代码片段
AWS.config.update({
region: 'ap-south-1',
maxRetries: 3,
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
sessionToken: process.env.AWS_SESSION_TOKEN,
})
const roleToAssume = {
RoleArn: process.env.ASSUME_ROLE_ARN,
RoleSessionName: 'codebuild',
DurationSeconds: 900,
}
const sts = new AWS.STS({
apiVersion: '2011-06-15',
region: 'ap-south-1',
endpoint: 'sts.ap-south-1.amazonaws.com',
})
sts.assumeRole(roleToAssume, function (err, assumedRole) {
if (err) {
reject__(err)
console.log('err>>>', err, err.stack)
} else {
console.log(
'🚀 ~ file: uploadTos3.js:30 ~ sts.assumeRole ~ data:',
assumedRole
)
fileArray.map((file) => {
// Configuring parameters for S3 Object
const s3 = new AWS.S3({
accessKeyId: assumedRole.Credentials.AccessKeyId,
secretAccessKey: assumedRole.Credentials.SecretAccessKey,
sessionToken: assumedRole.Credentials.SessionToken,
})
const S3params = {
Bucket: process.env.S3_BUCKET,
Body: fs.createReadStream(file),
Key: generateFileKey(file),
}
s3.upload(S3params, function (err, data) {
if (err) {
console.error(err)
} else {
console.log(`Assets uploaded to S3: `, data)
}
})
})
response__()
}
})
but everytime sts.assumeRole throwing this error但每次sts.assumeRole抛出这个错误
InvalidClientTokenId: The security token included in the request is invalid
--
823 | at Request.extractError (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/protocol/query.js:50:29)
824 | at Request.callListeners (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
825 | at Request.emit (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
826 | at Request.emit (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/request.js:686:14)
827 | at Request.transition (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/request.js:22:10)
828 | at AcceptorStateMachine.runTo (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/state_machine.js:14:12)
829 | at /var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/state_machine.js:26:10
830 | at Request.<anonymous> (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/request.js:38:9)
831 | at Request.<anonymous> (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/request.js:688:12)
832 | at Request.callListeners (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
833 | code: 'InvalidClientTokenId',
834 | time: 2023-05-18T13:59:07.868Z,
835 | requestId: '3bc35552-7494-4605-9380-1fb8743e7d51',
836 | statusCode: 403,
837 | retryable: false,
838 | retryDelay: 62.92943618134528
839 | }
Scenerio-2 Here, Instead of using sts from aws-sdk I'm using aws-cli in docker image & passing assumedRole.Credentials from cli. Scenerio-2 在这里,我没有使用aws-sdk中的sts ,而是在 docker 图像中使用 aws-cli 并从 cli 传递assumedRole.Credentials 。
Command:
aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name codebuild
-- Providing Credentials
But here also, I'm not able to use these credentials with aws-sdk like this但在这里,我也无法像这样将这些凭据与 aws-sdk 一起使用
const s3 = new AWS.S3({
accessKeyId: process.env.AWS_ACCESS_KEY_ID,
secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
sessionToken: process.env.AWS_SESSION_TOKEN,
})
const S3params = {
Bucket: process.env.S3_BUCKET,
Body: fs.createReadStream(file),
Key: generateFileKey(file),
}
s3.upload(S3params, function (err, data) {
if (err) {
// Set the exit code while letting the process exit gracefully.
console.error(err)
process.exitCode = 1
} else {
console.log(`Assets uploaded to S3: `, data)
}
})
Here Getting this error这里得到这个错误
InvalidToken: The provided token is malformed or otherwise invalid.
--
16 | at Request.extractError (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/services/s3.js:711:35)
17 | at Request.callListeners (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
18 | at Request.emit (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
19 | at Request.emit (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/request.js:686:14)
20 | at Request.transition (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/request.js:22:10)
21 | at AcceptorStateMachine.runTo (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/state_machine.js:14:12)
22 | at /var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/state_machine.js:26:10
23 | at Request.<anonymous> (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/request.js:38:9)
24 | at Request.<anonymous> (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/request.js:688:12)
25 | at Request.callListeners (/var/loco/loco/node_modules/.pnpm/aws-sdk@2.1379.0/node_modules/aws-sdk/lib/sequential_executor.js:116:18) {
26 | code: 'InvalidToken',
27 | region: null,
28 | time: 2023-05-18T13:44:22.058Z,
29 | requestId: 'CH90H7F00MZ4AYQB',
30 | extendedRequestId: 'SHL6HZeiY9Ts+Iu+RGahpQufpxTigrEmOO0t4ICtlqJ9AjEoREb6pRai4XtfDpxLqiN3VjmrQEM=',
31 | cfId: undefined,
32 | statusCode: 400,
33 | retryable: false,
34 | retryDelay: 0.14215548664469058
35 | }
Expected Behavior预期行为
I want to setup STS assumeRole & use those credentials to upload file to S3.我想设置 STS assumeRole 并使用这些凭据将文件上传到 S3。
There might be the RoleARN access issue, But I'm unable to identify that as well可能存在 RoleARN 访问问题,但我也无法识别
Current Behavior当前行为
- Abel to setup STS assumeRole credentials using aws-cli but unable to use with S3 from aws-sdk Abel 使用 aws-cli 设置 STS assumeRole 凭据但无法与 aws-sdk 中的 S3 一起使用
- Not able to setup STS assumeRole using aws-sdk无法使用 aws-sdk 设置 STS assumeRole
Reproduction Steps复制步骤
Same as above同上
I'm writing the code in upload_to_bucket.js file & running the same using Docker node upload_to_bucket.js我正在 upload_to_bucket.js 文件中编写代码并使用 Docker node upload_to_bucket.js运行相同的代码
Possible Solution可能的解决方案
idk, but it would be great help if anyone answer this. idk,但如果有人回答这个问题,那将是很大的帮助。
Additional Information/Context附加信息/上下文
Ping me / Mail me @sanskardahiya98@gmail.com for any further information.联系我/发邮件给我@sanskardahiya98@gmail.com 以获取更多信息。
SDK version used SDK 使用的版本
"aws-sdk": "^2.1379.0" “aws-sdk”:“^2.1379.0”
Environment details (OS name and version, etc.)环境详细信息(操作系统名称和版本等)
AWS Codebuild AWS 代码构建
1 个解决方案
解决方案1
0 已采纳 2023-06-09 05:24:32
Above code is correct itself, Issue was due to restricted access, My EC2 machine does not have access to STS,上面的代码本身是正确的,问题是由于访问受限,我的 EC2 机器无法访问 STS,
It is fixed by providing appropriate access.它通过提供适当的访问来修复。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.