小贝子编程

如何对 boto3 角色假设进行故障排除



我将首先说明信任策略在 UI 上显示角色/workdocs_api_pull 列在/WorkDocs_API_Developer 的受信任实体可以代入此角色部分中。 还要注意的是,这是跨账户。

这是错误:

Traceback (most recent call last):
File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 76, in lambda_handler
get_folder_contents(aws_region)
File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 56, in get_folder_contents
role = assume_role(wd_role_arn, aws_region)
File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 48, in assume_role
RoleSessionName = 'workdocs_session'
File "/var/runtime/botocore/client.py", line 272, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 576, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::<account_num>:assumed-role/LambdaFullAccessRole/workdocs_api_pull is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account_num>:role/WorkDocs_API_Developer

这是代码:

import boto3
aws_region ='us-east-1'
wd_role_arn = 'arn:aws:iam::<account_num>:role/WorkDocs_API_Developer'
def temp_keys():    
session = boto3.Session()
credentials = session.get_credentials()
keys = credentials.get_frozen_credentials()
return keys
def assume_role(wd_role_arn, aws_region):
creds = temp_keys()
boto_sts = boto3.client('sts',
aws_access_key_id=creds.access_key,
aws_secret_access_key=creds.secret_key,
aws_session_token=creds.token,
region_name=aws_region
)
role_credentials = boto_sts.assume_role(RoleArn = wd_role_arn,
RoleSessionName = 'workdocs_session'
)
return role_credentials.credentials
def lambda_handler(event, context) :  
def get_folder_contents(aws_region):
role = assume_role(wd_role_arn, aws_region) 
print(role.access_key,'n',role.secret_key,'n',role.token)
folder_id = '<folder_id>'
client = boto3.client('workdocs',
aws_access_key_id=role.access_key,
aws_secret_access_key=role.secret_key,
aws_session_token=role.token,
region_name=aws_region
)
folder = client.get_folder(FolderId = folder_id)
print(folder)
return folder
get_folder_contents(aws_region)

我怎样才能弄清楚为什么这不起作用?

在这种情况下,答案不是信任策略,而是权限策略。 我需要将 stsAssumeRole 添加到我的账户中其 IAM 角色的权限策略中。

相关内容

  • 没有找到相关文章

最新更新


热门标签:

javascript python java c# php android html jquery c++ css ios sql mysql arrays asp.net json python-3.x ruby-on-rails .net sql-server django objective-c excel regex ruby linux ajax iphone xml vba spring asp.net-mvc database wordpress string postgresql wpf windows xcode bash git oracle list vb.net multithreading eclipse algorithm macos powershell visual-studio image forms numpy scala function api selenium