[英]Why my role on aws is not correctly assumed?
在 AWS 上,我通过 terraform “My-role-ReadOnly”在主账户上创建了一个角色,我试图从另一个账户担任该角色,但如果我现在检查命令“aws sts get-caller-identity”,则假设不正确,我假设应该是其他身份? 如果我错了,请纠正我。
resource "aws_iam_role" "My-role-ReadOnly" {
name = "My-role-ReadOnly"
assume_role_policy = <<EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<my_not_main_account_id>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
EOF
}
data "aws_iam_policy" "ReadOnlyAccess" {
arn = "arn:aws:iam::aws:policy/ReadOnlyAccess"
}
resource "aws_iam_policy_attachment" "test-attach" {
name = "test-attachment"
roles = [aws_iam_role.My-role-ReadOnly.name]
policy_arn = data.aws_iam_policy.ReadOnlyAccess.arn
}
H:\tf>aws sts assume-role --role-arn "arn:aws:iam::<main-account-id>:role/My-role-ReadOnly" --role-
session-name AWSCLI-Session
{
"AssumedRoleUser": {
"AssumedRoleId": "ARO:AWSCLI-Session",
"Arn": "arn:aws:sts::<main-account-id>:assumed-role/My-role-ReadOnly/AWSCLI-Session"
},
"Credentials": {
"SecretAccessKey": "/rV380jxxxxx",
"SessionToken": "FwoGZXxxxxx",
"Expiration": "2021-02-01T12:34:28Z",
"AccessKeyId": "ASxxxxxx"
}
}
C:\> setx AWS_ACCESS_KEY_ID ASxxxxxx
C:\> setx AWS_SECRET_ACCESS_KEY /rV380jxxxxx
C:\> setx AWS_DEFAULT_REGION eu-west-1
H:\tf>aws sts get-caller-identity
{
"Account": "<my_not_main_account_id>",
"UserId": "AIxxxxxxxx",
"Arn": "arn:aws:iam::<my_not_main_account_id>:user/terraform_user"
}
aws sts assume-role
返回新角色的临时凭证,它不会更改当前环境,也不会更改您当前登录的身份/身份。
您需要将检索到的凭据导出到环境中。 例如,您可以使用jq
做到这一点:
credentials=$(aws sts assume-role --role-arn "$provider_arn" --role-session-name "$provider_session_name" | jq ".Credentials")
export AWS_ACCESS_KEY_ID=$(echo $credentials | jq -r ".AccessKeyId")
export AWS_SECRET_ACCESS_KEY=$(echo $credentials | jq -r ".SecretAccessKey")
export AWS_SESSION_TOKEN=$(echo $credentials | jq -r ".SessionToken")
(此语法取决于您的操作系统/外壳)
只有在导出凭证后, aws sts get-caller-identity
才会返回新身份。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.