如何从另一个 AWS 角色代入 AWS 角色?

编程入门行业动态更新时间:2024-10-26 02:32:19

本文介绍了如何从另一个 AWS 角色代入 AWS 角色?的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！问题描述

我有两个 AWS 账户 - 比如说 A 和 B.

I have two AWS account - lets say A and B.

在账户 B 中，我定义了一个角色，允许从账户 A 访问另一个角色.我们称之为角色 B

In account B, I have a role defined that allow access to another role from account A. Lets call it Role-B

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::********:role/RoleA" }, "Action": "sts:AssumeRole" }] }

在账户 A 中，我定义了一个角色，允许 root 用户承担角色.让我们称之为角色-A

In account A, I have defined a role that allows the root user to assume role. Lets call it Role-A

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::********:root" }, "Action": "sts:AssumeRole" }] }

角色 A 附加了以下策略

Role A has the following policy attached to it

{ "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::****:role/RoleB", "Effect": "Allow" }] }

作为帐户 A 中的用户，我承担了角色 A.现在使用这个临时凭证，我想承担角色 B 并访问帐户 B 拥有的资源.我有以下代码

As a user in account A, I assumed the Role-A. Now using this temporary credential, I want to assume the Role-B and access the resource owned by account B. I have the below code

client = boto3.client('sts') firewall_role_object = client.assume_role( RoleArn=INTERMEDIARY_IAM_ROLE_ARN, RoleSessionName=str("default"), DurationSeconds=3600) firewall_credentials = firewall_role_object['Credentials'] firewall_client = boto3.client( 'sts', aws_access_key_id=firewall_credentials['AccessKeyId'], aws_secret_access_key=firewall_credentials['SecretAccessKey'], aws_session_token=firewall_credentials['SessionToken'], ) optimizely_role_object = firewall_client.assume_role( RoleArn=CUSTOMER_IAM_ROLE_ARN, RoleSessionName=str("default"), DurationSeconds=3600) print(optimizely_role_object['Credentials'])

此代码适用于我从客户那里获得的一组角色，但不适用于我在我有权访问的两个 AWS 账户之间定义的角色.

This code works for the set of roles I got from my client but is not working for the roles I defined between two of the AWS account I have access to.

推荐答案

终于搞定了.上面的配置是正确的.政策中有拼写错误.

Finally got this working. The above configuration is correct. There was a spelling mistake in the policy.

我将这个问题保留在这里，因为它可能对想要使用角色实现双跳身份验证的人有所帮助.

I will keep this question here for it may help someone who want to achieve double hop authentication using roles.