AWS Assume角色与EC2实例IAM角色不起作用 [英] AWS Assume role with EC2 instance IAM role not working

问题描述

在我们的应用程序中，我们使用自定义角色访问aws API.在开发人员环境中，我们在app.config中提供了访问密钥和秘密密钥，并且效果很好.

In our application, we access the aws APIs with custom roles. In the developer environment, we provide access Key and secret key in the app.config and it works great.

在生产环境中，我们设置了一个具有对自定义角色必要的权限的IAM角色，并且使用该IAM角色启动了EC2实例.当我们尝试使用代码切换角色时，我们将遇到错误

In the prod environment, we have setup an IAM role with necessary permissions to the custom roles and the EC2 instance is launched with that IAM role. When we try to switch role using the code, then we are getting below error

消息:用户:arn:aws:sts :: XXXXXXXXX:assumed-role//i-0490fbbb5ea7df6a8无权执行:sts:AssumeRole on resource:arn:aws:iam :: XXXXXXXXXX:role/

代码:

AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient();
AssumeRoleResponse assumeRoleResponse = await stsClient.AssumeRoleAsync(new AssumeRoleRequest
  {
     RoleArn = roleArn,
     RoleSessionName = sessionName
  });

var sessionCredentials = new SessionAWSCredentials(assumeRoleResponse.Credentials.AccessKeyId, assumeRoleResponse.Credentials.SecretAccessKey, assumeRoleResponse.Credentials.SessionToken);

AmazonS3Client s3Client = new AmazonS3Client(sessionCredentials);

政策详细信息:

"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::account_id:role/role-name"

任何对此的帮助都会很棒.预先感谢.

Any help on this would be great. Thanks in advance.

推荐答案

我们通过在自定义角色的受信任关系中添加以下策略解决了该问题.

We resolved the issue by adding the below policy in the trusted relationship of the custom role.

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "<ARN of role that has to assume the custom role>"
  },
  "Action": "sts:AssumeRole"
}

这篇关于AWS Assume角色与EC2实例IAM角色不起作用的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！