IAM用户无授权

发布于 2025-02-11 17:22:09 字数 2638 浏览 2 评论 0原文

我正在尝试与Java从IAM用户审核员的Java进行角色假设到另一个AWS帐户2，但它总是给我错误消息，如下所示：

AWSSecurityTokenServiceException: User: arn:aws:iam::account1:user/auditor is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::account2:role/roleTester (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: d6cf1458-a3ab-40f4-b24f-f1459a79a82d; Proxy: null)

ROULETESTER在Account2中的信任关系允许Account1允许Account1访问帐户2的资源是如下所示：

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account1:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "d5d2c143-f6b4-48e9-bd16-8708d86a0152"
                }
            }
        }
    ]
}

与此同时，在IAM用户审核员中，在account1中具有以下字符策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "arn:aws:iam::account1:role/AuditorCheck"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "*"
        }
    ]
}

使用IAM用户审核员的访问密钥，我尝试运行以下代码，但返回错误。

BasicAWSCredentials credentials = new BasicAWSCredentials("accesskey", "secretkey"); //Mitigant credential
AWSCredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
 AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
                .withCredentials(new AWSStaticCredentialsProvider(credentials)) // IAM User Auditor credential
                .withRegion(Regions.EU_CENTRAL_1) 
                .build();

AssumeRoleRequest roleRequest = new AssumeRoleRequest()
               .withRoleArn("arn:aws:iam::account2:role/roleTester") //the ARN of the role provided by cloud customers
               .withExternalId("d5d2c143-f6b4-48e9-bd16-8708d86a0152")  // the external ID provided by cloud customers
               .withRoleSessionName("test"); 

AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
               sessionCredentials.getAccessKeyId(),
               sessionCredentials.getSecretAccessKey(),
               sessionCredentials.getSessionToken());

帐户2的信任关系或帐户1的内联策略是否有问题？

原文

I am trying to do role assumption with Java from IAM User auditor of account1 to another AWS account account2 but it always give me the error message as follow:

AWSSecurityTokenServiceException: User: arn:aws:iam::account1:user/auditor is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::account2:role/roleTester (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: d6cf1458-a3ab-40f4-b24f-f1459a79a82d; Proxy: null)

The trust relationship of the role roleTester in account2 that would allow account1 to access the account2's resources is as follows:

{
    "Version": "2008-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::account1:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "StringEquals": {
                    "sts:ExternalId": "d5d2c143-f6b4-48e9-bd16-8708d86a0152"
                }
            }
        }
    ]
}

Meanwhile, in the IAM User auditor in account1 has the inline policy as follow:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "arn:aws:iam::account1:role/AuditorCheck"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "*"
        }
    ]
}

Using the access key of IAM user auditor, I tried to run the following code but returned error.

BasicAWSCredentials credentials = new BasicAWSCredentials("accesskey", "secretkey"); //Mitigant credential
AWSCredentialsProvider credentialsProvider = new EnvironmentVariableCredentialsProvider();
 AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
                .withCredentials(new AWSStaticCredentialsProvider(credentials)) // IAM User Auditor credential
                .withRegion(Regions.EU_CENTRAL_1) 
                .build();

AssumeRoleRequest roleRequest = new AssumeRoleRequest()
               .withRoleArn("arn:aws:iam::account2:role/roleTester") //the ARN of the role provided by cloud customers
               .withExternalId("d5d2c143-f6b4-48e9-bd16-8708d86a0152")  // the external ID provided by cloud customers
               .withRoleSessionName("test"); 

AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
               sessionCredentials.getAccessKeyId(),
               sessionCredentials.getSecretAccessKey(),
               sessionCredentials.getSessionToken());

Is there something wrong with either of the trust relationship of account2 or the inline policy of account1?

分享到QQ

分享到微博