意外的例外访问：用户：ARN：AWS：IAM :: 123456789：无权执行用户/ABC：STS：asherole资源：arn：aws：aws：chime：chime

发布于 2025-01-23 03:24:39 字数 2407 浏览 3 评论 0原文

我必须使用AWS STS生成一个联合令牌，用于认证池中认证的Cognito用户。问题在于，当我按照AWS-DOC的文档运行代码时，它会将我返回此错误：

意外的异常访问：用户：ARN：AWS：IAM :: 123456789：无权执行USER/ABC ：sts：资源上的假设：ARN：aws：chime：us-east-1：123456789：app-instance/xxx/user/yyy

我过去1周都在尝试解决此问题，并且几乎已经搜索了互联网上的一切。

我已经尝试了其中一些解决方案，但仍然没有运气：

这是我的信任关系IAM角色JSON文件：

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Statement0",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789:user/abc"
        },
        "Action": "sts:AssumeRole"
    },
    {
        "Sid": "Statement1",
        "Effect": "Allow",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    },
    {
        "Sid": "Statement2",
        "Effect": "Allow",
        "Principal": {
            "Service": "chime.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
 ]
}

这是我对IAM角色的内联挑战：

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:GetSessionToken",
                "sts:AssumeRole",
                "sts:TagSession",
                "sts:GetFederationToken",
                "sts:SetSourceIdentity",
                "sts:DecodeAuthorizationMessage",
                "sts:AssumeRoleWithSAML",
                "sts:GetAccessKeyInfo",
                "sts:GetCallerIdentity",
                "sts:AssumeRoleWithWebIdentity",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*"
        }
    ]
}

原文

I have to generate a federated token using AWS STS for an authenticated Cognito User in the Cognito Pool. The problem is that when I run the code by following the documentation of aws-docs it returns me with this error:

unexpected exception AccessDenied: User: arn:aws:iam::123456789:user/abc is not authorized to perform: sts:AssumeRole on resource: arn:aws:chime:us-east-1:123456789:app-instance/xxx/user/yyy

I am trying for the past 1 week to solve this problem and have searched almost everything on the internet.

I have already tried some of these solutions but still no luck:

Here's my trust relationship IAM Role JSON file:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Sid": "Statement0",
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::123456789:user/abc"
        },
        "Action": "sts:AssumeRole"
    },
    {
        "Sid": "Statement1",
        "Effect": "Allow",
        "Principal": {
            "Service": "lambda.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    },
    {
        "Sid": "Statement2",
        "Effect": "Allow",
        "Principal": {
            "Service": "chime.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }
 ]
}

And here is my inline-policy of IAM Role:

    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:GetSessionToken",
                "sts:AssumeRole",
                "sts:TagSession",
                "sts:GetFederationToken",
                "sts:SetSourceIdentity",
                "sts:DecodeAuthorizationMessage",
                "sts:AssumeRoleWithSAML",
                "sts:GetAccessKeyInfo",
                "sts:GetCallerIdentity",
                "sts:AssumeRoleWithWebIdentity",
                "sts:GetServiceBearerToken"
            ],
            "Resource": "*"
        }
    ]
}

分享到QQ

分享到微博