如何启用对AWS STS AssumeRole的访问 [英] How enable access to AWS STS AssumeRole

问题描述

调用STS的assume role方法时出现错误.它说用户无权对资源xxx执行sts:AsumeRole.

I am getting an error when calling to assume role method of STS. It says that the user is not authorized to perform sts:AsumeRole on resource xxx.

我做了以下事情:

1. 我创建了一个访问S3存储桶的角色.
2. 我对策略模拟器进行了测试，并且工作正常
3. 我创建了一个新的网上论坛，并在其中创建了一个新的政策， 启用所有资源上的所有sts动作.
4. 我使用策略模拟器进行了测试，以使sts扮演角色，并指出 到在第一步中创建的角色的ARN；效果很好
5. 我创建了一个新用户，并将其放在第3步中创建的组中
6. 使用新用户的凭据，我尝试获取新的凭据 使用sts asume角色，但抛出一个错误，说我的用户不是 授权执行sts:AssumeRole

1. I created a role to access to S3 bucket.
2. I ran a test over policy simulator and works fine
3. I created a new group, and in it, i created a new policy that enables all sts actions, over all resources.
4. I ran a test with the policy simulator, to sts assume role, pointing to the ARN of role created at step one; and it works fine
5. I created a new user, and put it in group created at step 3
6. With the credentials of the new user, i try to get a new credentials using sts asume role, but throw me an error that say my user is not authorized to perform sts:AssumeRole

我在做什么错了?

组策略

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "some-large-id",
            "Effect": "Allow",
            "Action": [
                "sts:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

角色政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "another-large-id",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-name/*"
            ]
        }
    ]
}

最后像这样打电话

let policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "new-custom-id",
            "Effect": "Allow",
            "Action": ["s3:PutObject"],
            "Resource": ["arn:aws:s3:::my-bucket-name/*"]
        }
    ]
};

let params = {
    DurationSeconds: 3600, 
    ExternalId: 'some-value', 
    Policy: JSON.stringify(policy), 
    RoleArn: "arn:aws:iam::NUMBER:role/ROLE-NAME", //Cheked, role is the same that step one
    RoleSessionName: this.makeNewSessionId()
};
let sts = new AWS.STS({ apiVersion: '2012-08-10' });

sts.assumeRole(params, (err, data) => {
    if(err) console.log(err);
    else console.log(data);
});

推荐答案

缺少一个步骤:对在第一步中创建的角色设置信任关系.无论用户具有什么特权，如果未设置信任关系，STS都会拒绝该请求.

There is a step that was missing: set trust relationship on role created in step one. No matter what privileges the user had, if the trust relationship is not set, STS will refuse the request.

IAM角色故障排除解释其工作原理.

这篇关于如何启用对AWS STS AssumeRole的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！