![](/img/trans.png)
[英]assume different role in aws using java SDK on ec2 which uses assigned IAM for access
[英]Failed to assume role for third-party AWS account using IAM user's access key
我正在嘗試使用具有 SecurityAudit 角色的 Assume Role function 授予第三方 AWS 賬戶對我的 AWS 賬戶的訪問權限,類似於此處。 我按照這里的解釋為第三方賬戶分配了名為 testing 的角色,我將在其中獲得類似這樣的信任關系(我還添加了第三方的 IAM 用戶,因為它將使用他的訪問密鑰訪問我的 AWS 賬戶) :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::thirdparty:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
然后我按照這里的代碼如下:
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(clientRegion)
.build();
// Obtain credentials for the IAM role. Note that you cannot assume the role of an AWS root account;
// Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName);
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
但是當第三方運行代碼時,它會收到如下錯誤:
Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::thirdparty:user/TestOne is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::myaccount:role/testing(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1632)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)
那么如果第三方AWS賬戶想要使用他的訪問密鑰對我的賬戶進行安全審計,應該如何正確配置呢?
錯誤說
arn:aws:iam::thirdparty:user/TestOne
是不是能夠承擔利益的角色。
在您的問題中,您正確地允許arn:aws:iam::thirdparty:root
擔任該角色。 但這仍然沒有授予TestOne
IAM 用戶執行相同操作的權限。
要解決此問題, thirdparty
賬戶的管理員/根必須明確允許IAM 用戶TestOne
在您的賬戶中使用sts:AssumeRole
。
因此, thirdparty
帳戶可以將諸如內聯策略之類的權限添加到例如TestOne
用戶。 顯然,也可以使用客戶管理的策略或其他 IAM 機制來完成。 但內聯策略似乎是最快且最容易測試的。
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.