如何解决使用boto3从AWS检索临时凭证时访问被拒绝错误
我正在尝试使用this example之后的boto3从AWS获得一组临时凭证。
import boto3
from botocore.errorfactory import ClientError
# create an STS client object that represents a live connection to the
# STS service
sts_client = boto3.client('sts')
# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name
assumed_role_object = sts_client.assume_role(
RoleArn="aws:iam::123456789:role/Upload_Data_To_S3",RoleSessionName="iam-s3-upload"
)
# From the response that contains the assumed role,get the temporary
# credentials that can be used to make subsequent API calls
credentials = assumed_role_object['Credentials']
# Use the temporary credentials that AssumeRole returns to make a
# connection to Amazon S3
s3_resource = boto3.resource(
's3',aws_access_key_id=credentials['AccessKeyId'],aws_secret_access_key=credentials['SecretAccessKey'],aws_session_token=credentials['SessionToken'],)
在以下情况下,我收到AccessDenied错误:
Exception has occurred: ClientError
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123456789:user/Yury is not authorized to perform: sts:AssumeRole on resource: aws:iam::123456789:role/Upload_Data_To_S3
File "/home/ystanev/git-projects/ap_renewables/HighSpeed/s3-data-upload/s3_upload.py",line 18,in <module>
RoleSessionName="iam-s3-upload"
我的帐号和角色上的帐号匹配,因此我不确定为什么不能在自己的帐户下担任角色。我已经在AWS控制台下检查了IAM权限,我的帐户已附加到IAMFullAccess组。
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Action": [
"iam:*","organizations:DescribeAccount","organizations:DescribeOrganization","organizations:DescribeOrganizationalUnit","organizations:DescribePolicy","organizations:ListChildren","organizations:ListParents","organizations:ListPoliciesForTarget","organizations:ListRoots","organizations:ListPolicies","organizations:ListTargetsForPolicy"
],"Resource": "*"
}
]
}
我已经检查过knowledge centre,但是由于IAM角色在我的帐户下,因此我不确定这是否适用于我的情况。
如何检查我是否拥有担任该角色的权限,以及是否未将其设置为允许。
谢谢,感谢您的帮助。
解决方法
您的用户需要权限sts:AssumeRole。我看不到您的保单。然后,如注释所示,您需要确保所承担角色的信任关系允许您的用户帐号承担该角色。信任政策最终看起来像这样:
{
"Version": "2012-10-17","Statement": [
{
"Effect": "Allow","Principal": {
"AWS": "arn:aws:iam::<account number of the role>:root"
},"Action": "sts:AssumeRole","Condition": {}
}
]
}
最佳做法是仅允许您用户的特定主体ARN承担信任关系中的角色,然后在附加到用户的策略中,您将明确列出可以通过sts:AssumeRole承担的角色允许*访问。
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 dio@foxmail.com 举报,一经查实,本站将立刻删除。