我的lambda,名为"configure idp",在帐户AAAAAAAAAAAA中作为角色"configure saml providerA"运行。我需要在帐户BBBBBBBBBB中扮演角色"configure saml providerB",该角色有权为帐户BBBBBB配置ipd。"configure saml providerB"上的信任看起来像:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:sts::AAAAAAAAAAAA:assumed-role/configure-saml-providerA/configure-idp"
},
"Action": "sts:AssumeRole"
}
]
}
然而,当我的lambda尝试运行assume_role
命令(见下文(时,我得到:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::AAAAAAAAAAAA:assumed-role/configure-saml-providerA/configure-idp is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::BBBBBBBBBBBB:role/configure-saml-provider
上面提到的assume_role
代码是:
client = boto3.client('sts')
assumed_role_object = client.assume_role(
RoleArn = f"arn:aws:iam::BBBBBBBBBBBB:role/configure-saml-providerB",
RoleSessionName = "LambdaSetIDPSession"
)
我还尝试将信托中的主要ARN改为这样:
arn:aws:sts::AAAAAAAAAAAA:role/configure-saml-providerA
但是得到了同样的错误。
为什么我不能担任角色arn:aws:iam::BBBBBBBBBBBB:role/configure-saml-providerB
,而对该角色的信任设置为允许我这样做?
考虑以下
https://aws.amazon.com/es/premiumsupport/knowledge-center/iam-assume-role-error/
也许你是aws组织的一员,有一个SCP限制你扮演这个角色?
问题是,在尝试扮演角色时,我在ARN中使用了帐户别名,而不是帐户id。你不会在帖子中看到我混淆了敏感信息。