AWS 代入的角色未按预期使用 boto3 工作

我想使用 aws SSM 在 ec2 实例 (i-0691847a77( 上执行 ssm：DescribeInstanceInformation 操作，方法是假设 IAM 角色 (iam_ssm_role( 定义了以下策略。

两个 IAM 角色位于同一个 AWS 账户上iam_base_role ARN 已在 iam_ssm_role 年添加为可信策略。

{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ssm:*",
"ec2:DescribeImages",
"cloudwatch:PutMetricData",
"ec2:DescribeInstances",
"lambda:InvokeFunction",
"ec2:DescribeTags",
"ec2:DescribeVpcs",
"cloudwatch:GetMetricStatistics",
"ec2:DescribeSubnets",
"ec2:DescribeKeyPairs",
"cloudwatch:ListMetrics",
"ec2:DescribeSecurityGroups"
],
"Resource": "*"
}

我在具有 IAM 角色 (iam_base_role( 的 ec2 实例上运行以下代码

import boto3
from boto3.session import Session

def assume_role(arn, session_name):
client = boto3.client('sts')
response = client.assume_role(RoleArn=arn, RoleSessionName=session_name)
session = Session(aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken'])
client = session.client('sts')
account_id = client.get_caller_identity()["Account"]
print(response['AssumedRoleUser']['AssumedRoleId'])
assume_role('arn:aws:iam::000001:role/iam_ssm_role', 'ssm_session')

client = boto3.client('ssm', region_name = 'us-east-1')
ssm_response = client.describe_instance_information(
InstanceInformationFilterList=[
{
'key': 'InstanceIds',
'valueSet': [
'i-0f0099877fgg'
]
}
]
)
print(ssm_response)

我收到拒绝访问错误，假定的角色显示为"iam_ssm_role"，但看起来 SSM 正在使用iam_base_role而不是iam_ssm_role

AROAV6BDS6PTVQBU:iam_ssm_role
botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the DescribeInstanceInformation operation: User: arn:aws:sts::000001:assumed-role/iam_base_role/i-0691847a77 is not authorized to perform: ssm:DescribeInstanceInformation on resource: arn:aws:ssm:us-east-1:000001:*