如何启用对 AWS STS AssumeRole 的访问 [英] How enable access to AWS STS AssumeRole

问题描述

调用 STS 的 assume role 方法时出错.它表示用户无权对资源 xxx 执行 sts:AsumeRole.

我做了以下事情:

1. 我创建了一个角色来访问 S3 存储桶.
2. 我对策略模拟器进行了测试并且运行良好
3. 我创建了一个新组，并在其中创建了一个新策略在所有资源上启用所有 sts 操作.
4. 我用策略模拟器运行了一个测试，让 sts 承担角色，指点到第一步创建的角色的 ARN；它工作正常
5. 我创建了一个新用户，并将其放入在步骤 3 中创建的组
6. 使用新用户的凭据，我尝试获取新凭据使用 sts asume 角色，但给我一个错误，说我的用户不是授权执行 sts:AssumeRole

我做错了什么?

组内政策

<代码>{"版本": "2012-10-17",陈述": [{"Sid": "some-large-id","Effect": "允许",行动": [sts:*"],资源":[*"]}]}

角色政策

<代码>{"版本": "2012-10-17",陈述": [{"Sid": "另一个大 ID","Effect": "允许",行动": [s3:放置对象"],资源":[arn:aws:s3:::my-bucket-name/*"]}]}

最后这样调用

let policy = {"版本": "2012-10-17",陈述": [{"sid": "new-custom-id","Effect": "允许","动作": ["s3:PutObject"],资源":[arn:aws:s3:::my-bucket-name/*"]}]};让参数 = {持续时间秒:3600，ExternalId: 'some-value',策略:JSON.stringify(policy),RoleArn: "arn:aws:iam::NUMBER:role/ROLE-NAME",//勾选，角色同第一步RoleSessionName: this.makeNewSessionId()};让 sts = new AWS.STS({ apiVersion: '2012-08-10' });sts.assumeRole(params, (err, data) => {if(err) console.log(err);否则 console.log(data);});

解决方案

缺少一个步骤:在第一步中创建的角色上设置信任关系.不管用户有什么权限，如果没有设置信任关系，STS都会拒绝请求.

IAM 角色疑难解答解释其工作原理.>

I am getting an error when calling to assume role method of STS. It says that the user is not authorized to perform sts:AsumeRole on resource xxx.

I did the following:

1. I created a role to access to S3 bucket.
2. I ran a test over policy simulator and works fine
3. I created a new group, and in it, i created a new policy that enables all sts actions, over all resources.
4. I ran a test with the policy simulator, to sts assume role, pointing to the ARN of role created at step one; and it works fine
5. I created a new user, and put it in group created at step 3
6. With the credentials of the new user, i try to get a new credentials using sts asume role, but throw me an error that say my user is not authorized to perform sts:AssumeRole

What am I doing wrong?

Policy in Group

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "some-large-id",
            "Effect": "Allow",
            "Action": [
                "sts:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Policy in role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "another-large-id",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-name/*"
            ]
        }
    ]
}

And finally calling like this

let policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "new-custom-id",
            "Effect": "Allow",
            "Action": ["s3:PutObject"],
            "Resource": ["arn:aws:s3:::my-bucket-name/*"]
        }
    ]
};

let params = {
    DurationSeconds: 3600, 
    ExternalId: 'some-value', 
    Policy: JSON.stringify(policy), 
    RoleArn: "arn:aws:iam::NUMBER:role/ROLE-NAME", //Cheked, role is the same that step one
    RoleSessionName: this.makeNewSessionId()
};
let sts = new AWS.STS({ apiVersion: '2012-08-10' });

sts.assumeRole(params, (err, data) => {
    if(err) console.log(err);
    else console.log(data);
});

解决方案

There is a step that was missing: set trust relationship on role created in step one. No matter what privileges the user had, if the trust relationship is not set, STS will refuse the request.

Troubleshooting IAM Roles explain how it works.

这篇关于如何启用对 AWS STS AssumeRole 的访问的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！