嗨,我从昨天开始就有这个奇怪的问题。我有一个python模块web_token.py,当我尝试在pycharm上手动运行它并打印request_url时,它工作得很好,并输出requested_url。但是当我将我的web_token.py和fetch_accounts.py压缩在一起并上传到lambda函数时,它给出了以下错误:
调用资源操作时出现错误(AccessDenied):User: arn:aws:sts::5398XXXXXXX:assumed-role/sandbox-amp_sandbox-dev/sandbox-dev-amp_sandbox无权对资源执行: sts:AssumeRole :arn:aws:iam::4540XXXXXXXX:
/AMPSandbox
我甚至试着给它FullAdministrativeAccess,但它似乎仍然不起作用。虽然我能够在pycharm中以独立模式运行web_token.py时生成requested_url。有没有人能给我一些指导,我会很感激的。
代码片段来自
retrieve_accounts.py
import boto3
import web_token
def get_account(event, context):
client = boto3.client('dynamodb')
NameID = "test@orgz.com"
ManagerEmail = "test1@orgaz.com"
response = client.scan(
TableName='Sandbox-Users',
ScanFilter={
'NameID': {
'AttributeValueList': [
{
'S': NameID,
},
],
'ComparisonOperator': 'EQ'
}
}
)
return web_token.request_url
web_token.py
import httplib
import urllib, json
import boto3
client = boto3.client('sts')
assumed_role_object = client.assume_role(
RoleArn="arn:aws:iam::4540XXXXXXXX:role/AMPSandboxRole",
RoleSessionName="AssumeRoleSession"
)
# Step 3: Format resulting temporary credentials into JSON
json_string_with_temp_credentials = '{'
json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.get("Credentials").get("AccessKeyId") + '",'
json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.get("Credentials").get("SecretAccessKey") + '",'
json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.get("Credentials").get("SessionToken") + '"'
json_string_with_temp_credentials += '}'
# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
# as parameters.
request_parameters = "?Action=getSigninToken"
request_parameters += "&SessionDuration=43200"
request_parameters += "&Session=" + urllib.quote_plus(json_string_with_temp_credentials)
request_url = "/federation" + request_parameters
conn = httplib.HTTPSConnection("signin.aws.amazon.com")
conn.request("GET", request_url)
r = conn.getresponse()
# Returns a JSON document with a single element named SigninToken.
signin_token = json.loads(r.read())
request_parameters = "?Action=login"
request_parameters += "&Issuer=sandbox.com"
request_parameters += "&Destination=" + urllib.quote_plus("https://console.aws.amazon.com/")
request_parameters += "&SigninToken=" + signin_token["SigninToken"]
request_url = "https://signin.aws.amazon.com/federation" + request_parameters
更新:我有两个策略附加到sandbox-amp_sandbox-dev角色-
InfraLoggingPolicyin 5398XXXXXXX
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sqs:SendMessage",
"sqs:SendMessageBatch"
],
"Resource": "arn:aws:sqs:*:131703196249:org-logging-prod",
"Effect": "Allow"
},
{
"Action": [
"ec2:DescribeInstances",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
},
{
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::em-log-intake-us-east-1-prod/*",
"arn:aws:s3:::em-log-intake-us-west-2-prod/*"
]
}
]
}
sandbox-amp_sandbox-policy-devin 5398XXXXXXX
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:*:*:*"
}
]
}
更新2.0以上策略来自我的账号5398XXXXXXX。我在4540XXXXXXXX帐户AMPSandboxRole中有以下角色,在该帐户下我有以下策略
AssumeRolein 4540XXXXXXXX
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/AMPSandboxRole",
"Action": "sts:AssumeRole"
}
]
}
4540XXXXXXXX中的组织访问
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"organizations:Describe*",
"organizations:List*",
"organizations:CreateAccount",
"organizations:MoveAccount"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"organizations:MoveAccount"
],
"Resource": "arn:aws:organizations::454084028794:root/o-eyec2h6qr0/r-ekzh"
},
{
"Effect": "Allow",
"Action": [
"organizations:*"
],
"Resource": "arn:aws:organizations::45xxxxxxxxxx:ou/o-eyec2h6qr0/ou-ekzh-x2xcsupl"
}
]
}
在45xxxxxxxxxx中更新3.0 信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::53xxxxxxxxxx:root"
},
"Action": "sts:AssumeRole"
}
]
}
发布于 2018-07-31 04:41:19
我终于能够和AWS团队的一些人一起计算出这个帐户。因此,无论何时从一个帐户承担角色到另一个帐户,我们都需要显式地提供我们承担角色的帐户的访问密钥和秘密密钥。所以它应该看起来像这样-
sts_connection = boto3.client('sts',
aws_access_key_id="",
aws_secret_access_key="")
在提供了这些详细信息后,我终于能够在另一个帐户中担任角色。感谢大家的指导和帮助。
发布于 2017-09-10 12:42:46
错误信息为:
AssumeRole用户: arn:aws:sts::5398XXXXXXX:assumed-role/sandbox-amp_sandbox-dev/sandbox-dev-amp_sandbox无权对
:arn:aws:iam::4540XXXXXXXX:role/AMPSandbox执行: sts:AssumeRole
AWS Lambda函数将在您上面列出的角色下执行。它只有权限调用dynamodb:*
。它还需要权限才能调用 AssumeRole
**.**
您的策略应更新为:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermitDynamoDB",
"Action": "dynamodb:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "PermitAssumeRole",
"Action": [
"sts:AssumeRole"
],
"Effect": "Allow",
"Resource": "arn:aws:iam::4540XXXXXXXX:role/AMPSandboxRole"
}
]
}
发布于 2017-09-10 16:01:11
我想您忘记了信任关系策略文档中的主体条目:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PermitAssumeRole",
"Action": [
"sts:AssumeRole"
],
"Principal": {
"Service": [
"dynamodb.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Effect": "Allow",
"Resource": "arn:aws:iam::4540XXXXXXXX:role/AMPSandboxRole"
}
]
}
信任策略是一个JSON格式的文档,您可以在其中定义允许谁承担角色。此受信任实体作为文档中的主体元素包含在策略中。
因此,您的信任关系策略文档应在Principal元素中包含您期望承担此角色的AWS资源
https://stackoverflow.com/questions/46135413
复制相似问题