我使用AWS IAM角色,让一个实例来访问使用临时API证书某些资源(访问密钥,密钥和安全令牌)。
当我测试使用这个Ruby脚本临时凭证,它运行没有任何问题:
需要'rubygems的' 要求AWS-SDK AWS.config( :access_key_id => 我的访问键GOES HERE, :secret_access_key => 我的秘密钥匙GOES HERE, :session_token => 我的TOKEN GOES HERE) S3 = AWS :: S3.new() MYFILE = s3.buckets ['我的-配置']。对象[file.sh] File.open方法(/ tmp目录/ file.sh,W)做| F | f.write(myfile.read) 结束
但是,使用命令行运行时,CFN-描述-栈我得到一个错误:
出口AWS_CREDENTIAL_FILE = aws_credentials.cfg CFN-描述,堆 CFN-描述-栈:拒绝:包含在请求安全令牌无效和这里是我的aws_credentials.cfg:
AWSAccessKeyId = MY快捷键 AWSSecretKey =我的秘密密钥 AWSToken =MY TOKEN ==
那么,我在这里丢失?谢谢!
解决方案我不认为CLI工具支持的临时凭证。如果他们这么做,你应该能够在通过您的AWSToken作为命令行参数。但据文档,它只支持传入访问密钥ID和密钥作为参数。
-I,--access-key-id的值
指定值作为AWS访问标识使用。
-S,--secret键值
指定的值作为AWS密钥来使用。
I'm using AWS IAM roles that allows an instance to have access to certain resources using temporary API credentials (access key, secret key and security token).
When I test the temporary credentials using this ruby script, it runs without any problems :
require 'rubygems' require 'aws-sdk' AWS.config( :access_key_id => "MY ACCESS KEY GOES HERE", :secret_access_key => "MY SECRET KEY GOES HERE", :session_token => "MY TOKEN GOES HERE") s3 = AWS::S3.new() myfile = s3.buckets['My-Config'].objects["file.sh"] File.open("/tmp/file.sh", "w") do |f| f.write(myfile.read) endBut when using command line to run cfn-describe-stacks I get an error:
export AWS_CREDENTIAL_FILE=aws_credentials.cfg cfn-describe-stacks cfn-describe-stacks: Refused: The security token included in the request is invalidand here is my aws_credentials.cfg :
AWSAccessKeyId=MY ACCESS KEY AWSSecretKey=My SECRET KEY AWSToken="MY TOKEN=="So what am i missing here ? Thank you!
解决方案I don't think that the CLI tools support temporary credentials. If they did, you should be able to pass your "AWSToken" in as a command line parameter. But according to the documentation, it only supports passing in the access key id and secret key as parameters.
-I, --access-key-id VALUE
Specify VALUE as the AWS Access ID to use.
-S, --secret-key VALUE
Specify VALUE as the AWS Secret Key to use.
更多推荐
如何使用IAM角色来使用临时凭据访问资源?
发布评论