php AWS AssumeRole 授权不起作用
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/21956794/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
AWS AssumeRole authorization not working
提问by Dave
I am attempting to call the AssumeRole function using AWS sts in my PHP program since I want to create temporary credentials to allow a user to create an object for an AWS bucket.
我试图在我的 PHP 程序中使用 AWS sts 调用 AssumeRole 函数,因为我想创建临时凭证以允许用户为 AWS 存储桶创建对象。
Below is the fumction I am calling PHP:
下面是我调用 PHP 的函数:
$sts = StsClient::factory(array(
'key' => 'XXXXXXXXXXXXXX',
'secret' => 'XXXXXXXXXXXXXXXX',
'token.ttd' => $timetodie
));
$bucket = "mybucket";
$result1 = $sts->assumeRole(array(
'RoleArn' => 'arn:aws:iam::123456789012:role/createPic',
'RoleSessionName' => 'mytest',
'Policy' => json_encode(array(
'Statement' => array(
array(
'Sid' => 'Deny attributes',
'Action' => array(
's3:deleteObject',
's3:deleteBucket'
),
'Effect' => 'Deny',
'Resource' => array(
"arn:aws:s3:::{$bucket}",
"arn:aws:s3:::{$bucket}/AWSLogs/*"
),
'Principal' => array(
'AWS' => "*"
)
)
)
)
),
'DurationSeconds' => 3600,
// 'ExternalId' => 'string',
));
$credentials = $result1->get('Credentials');
However, I keep getting the following error:
但是,我不断收到以下错误:
User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic
用户 arn:aws:iam::123456789012:user/TVMUser 无权执行:sts:AssumeRole 资源:arn:aws:iam::123456789012:role/createPic
Below is my permissions policy for user TVMUser on my AWS console:
以下是我的 AWS 控制台上用户 TVMUser 的权限策略:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::791758789361:user/TVMUser"
},
{
"Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::791758789361:role/createPic"
}
]
}
Below is my role policy for the role createPic:
以下是我对 createPic 角色的角色政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/createPic"
}
]
}
Does anyone now what I am missing in my AWS policy statements and setup on AWS so I don't get the error: User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic?
现在有没有人知道我在 AWS 策略声明和 AWS 上的设置中缺少什么,所以我没有收到错误:用户 arn:aws:iam::123456789012:user/TVMUser 未被授权执行:sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic?
Am I missing something?
我错过了什么吗?
回答by jtblin
You also need to edit the Trust relationship for the role to allow the account (even if it's the same) to assume the role.
您还需要编辑角色的信任关系以允许该帐户(即使是相同的)承担该角色。
- open the role that you want to assume in the console
- click on the "Trust Relationships" tab
- click on "Edit RelationShip"
- add a statement for the account that you want to add (usually you'll only have the ec2 service in the "Trusted Entities") e.g.
- 在控制台中打开您要承担的角色
- 单击“信任关系”选项卡
- 点击“编辑关系”
- 为您要添加的帐户添加一条语句(通常您只会在“受信任的实体”中拥有 ec2 服务)例如
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/some-role"
},
"Action": "sts:AssumeRole"
}
]
}
In this example I had to add the "AWS" principal with the proper account number, the ec2.amazonaws.com Service was already there.
在此示例中,我必须使用正确的帐号添加“AWS”委托人,ec2.amazonaws.com 服务已经存在。
After I've done that I was able to assume the role without issue. Took me literally hours to figure this out, hope that will help someone.
在我完成之后,我能够毫无问题地担任这个角色。我花了几个小时才弄清楚这一点,希望对某人有所帮助。
回答by Thierry G.
I had the same error and spent hours trying to fix it with permissions and trust relationships... but that was not my problem.
我遇到了同样的错误,花了几个小时试图通过权限和信任关系修复它……但这不是我的问题。
I was following this tutorialand I deployed the cluster in US West (Oregon) as specified.
我正在学习本教程,并按照指定在美国西部(俄勒冈)部署了集群。
To make it work, I needed to activate STS for this region here.
为了让它工作,我需要在这里激活这个区域的 STS 。
回答by kaiser douglas
Maybe you should assign your sts region and endpoint:
也许您应该分配您的 sts 区域和端点:
$sts = StsClient::factory(array(
//...
'region' => 'us-west-2',
'endpoint' => 'https://sts.us-west-2.amazonaws.com',
));
