node.js 如何启用对 AWS STS AssumeRole 的访问
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/41337079/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
How enable access to AWS STS AssumeRole
提问by Vladimir Venegas
I am getting an error when calling to assume rolemethod of STS. It says that the user is not authorized to perform sts:AsumeRoleon resource xxx.
调用assume roleSTS 方法时出现错误。它说用户无权sts:AsumeRole在资源上执行xxx。
I did the following:
我做了以下事情:
- I created a role to access to S3 bucket.
- I ran a test over policy simulator and works fine
- I created a new group, and in it, i created a new policy that enables all sts actions, over all resources.
- I ran a test with the policy simulator, to sts assume role, pointing to the ARN of role created at step one; and it works fine
- I created a new user, and put it in group created at step 3
- With the credentials of the new user, i try to get a new credentials using sts asume role, but throw me an error that say my user is not authorized to perform sts:AssumeRole
- 我创建了一个角色来访问 S3 存储桶。
- 我对策略模拟器进行了测试并且工作正常
- 我创建了一个新组,并在其中创建了一个新策略,该策略可以针对所有资源启用所有 sts 操作。
- 我用策略模拟器运行了一个测试,让 sts 承担角色,指向在第一步创建的角色的 ARN;它工作正常
- 我创建了一个新用户,并将其放入在步骤 3 中创建的组中
- 使用新用户的凭据,我尝试使用 sts asume 角色获取新凭据,但向我抛出一个错误,指出我的用户无权执行 sts:AssumeRole
What am I doing wrong?
我究竟做错了什么?
Policy in Group
组内策略
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "some-large-id",
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
"*"
]
}
]
}
Policy in role
政策在起作用
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "another-large-id",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my-bucket-name/*"
]
}
]
}
And finally calling like this
最后像这样打电话
let policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "new-custom-id",
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": ["arn:aws:s3:::my-bucket-name/*"]
}
]
};
let params = {
DurationSeconds: 3600,
ExternalId: 'some-value',
Policy: JSON.stringify(policy),
RoleArn: "arn:aws:iam::NUMBER:role/ROLE-NAME", //Cheked, role is the same that step one
RoleSessionName: this.makeNewSessionId()
};
let sts = new AWS.STS({ apiVersion: '2012-08-10' });
sts.assumeRole(params, (err, data) => {
if(err) console.log(err);
else console.log(data);
});
回答by Vladimir Venegas
There is a step that was missing: set trust relationship on role created in step one. No matter what privileges the user had, if the trust relationship is not set, STS will refuse the request.
缺少一个步骤:在第一步中创建的角色上设置信任关系。无论用户拥有何种权限,如果未设置信任关系,STS 都会拒绝请求。
Troubleshooting IAM Rolesexplain how it works.
IAM 角色故障排除解释了它的工作原理。
