我试图通过一个假设的角色在另一个AWS账户中承担一个角色,通过AWS STS SDK授权使用WebIdentityTokenFileCredentialsProvider。它在k8s实例上运行,并提供凭据以访问帐户中的特定角色。
。账户1在k8spod上有account-1-role的凭据,并且想要承担存在于帐户2中的my-query-role角色。.
我当前的策略是这样的:
帐号1account-1-role权限策略
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": [
"arn:aws:iam::<account_2_id>:role/my-query-role"
]
}
]
}
帐号2my-query-role信任策略
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::<account_1_id>:root"
]
},
"Action": "sts:AssumeRole"
}
]
}
Java
AwsCredentialsProvider awsCredentialsProvider = WebIdentityTokenFileCredentialsProvider.create();
StsClient stsClient = StsClient.builder()
.credentialsProvider(awsCredentialsProvider)
.region(Region.EU_WEST_1)
.build();
AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
.roleArn("arn:aws:iam::<account_2_id>:role/my-query-role")
.roleSessionName(MANAGED_PROMETHEUS_ROLE_SESSION)
.build();
AssumeRoleResponse assumeRoleResponse = stsClient.assumeRole(assumeRoleRequest);
问题
然而,当我试图通过AWSStsClient承担角色时,我得到以下错误:
software.amazon.awssdk.services.sts.model.StsException: User: arn:aws:sts::<account_1_id>:assumed-role/<account_1_role>/aws-sdk-java-1680536628314
is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account_2_id>:role/my-query-role
(Service: Sts, Status Code: 403, Request ID: 9aa79d21-344f-41b1-a251-8f81bb23af8c)
我的问题是,我是否必须为StsClient提供一个单独的策略才能使用该权限?通过阅读文档,我认为假设角色将具有与父角色相同的策略,因此将受到帐户2的信任。然而ARN似乎是另一种格式
。arn:aws:sts::<account_1_id>:assumed-role代替arn:aws:sts::<account_1_id>:role
my-query-roleIAM Role在Account 2中的信任策略错误。
应该更新Principal字段设置帐户1的IAM角色account-1-role的ARN。
信任策略- IAM Role - Account 2
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"<THIS SHOULD BE THE ARN OF IAM ROLE IN ACCOUNT 1>"
]
},
"Action": "sts:AssumeRole"
}
]
}