首页
学习
活动
专区
工具
TVP
发布
社区首页 >问答首页 >无法通过lambda函数承担角色- Python

无法通过lambda函数承担角色- Python
EN

Stack Overflow用户
提问于 2017-09-10 05:48:53
回答 4查看 4.7K关注 0票数 3

嗨,我从昨天开始就有这个奇怪的问题。我有一个python模块web_token.py,当我尝试在pycharm上手动运行它并打印request_url时,它工作得很好,并输出requested_url。但是当我将我的web_token.py和fetch_accounts.py压缩在一起并上传到lambda函数时,它给出了以下错误:

调用资源操作时出现错误(AccessDenied):User: arn:aws:sts::5398XXXXXXX:assumed-role/sandbox-amp_sandbox-dev/sandbox-dev-amp_sandbox无权对资源执行: sts:AssumeRole :arn:aws:iam::4540XXXXXXXX:

/AMPSandbox

我甚至试着给它FullAdministrativeAccess,但它似乎仍然不起作用。虽然我能够在pycharm中以独立模式运行web_token.py时生成requested_url。有没有人能给我一些指导,我会很感激的。

代码片段来自

retrieve_accounts.py

import boto3

import web_token


def get_account(event, context):
    client = boto3.client('dynamodb')
    NameID = "test@orgz.com"
    ManagerEmail = "test1@orgaz.com"
    response = client.scan(
        TableName='Sandbox-Users',
        ScanFilter={
            'NameID': {
                'AttributeValueList': [
                    {
                        'S': NameID,
                    },
                ],
                'ComparisonOperator': 'EQ'
            }
        }
    )
    return web_token.request_url

web_token.py

import httplib
import urllib, json
import boto3

client = boto3.client('sts')
assumed_role_object = client.assume_role(
    RoleArn="arn:aws:iam::4540XXXXXXXX:role/AMPSandboxRole",
    RoleSessionName="AssumeRoleSession"
)

# Step 3: Format resulting temporary credentials into JSON
json_string_with_temp_credentials = '{'
json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.get("Credentials").get("AccessKeyId") + '",'
json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.get("Credentials").get("SecretAccessKey") + '",'
json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.get("Credentials").get("SessionToken") + '"'
json_string_with_temp_credentials += '}'

# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
# as parameters.
request_parameters = "?Action=getSigninToken"
request_parameters += "&SessionDuration=43200"
request_parameters += "&Session=" + urllib.quote_plus(json_string_with_temp_credentials)
request_url = "/federation" + request_parameters

conn = httplib.HTTPSConnection("signin.aws.amazon.com")
conn.request("GET", request_url)
r = conn.getresponse()
# Returns a JSON document with a single element named SigninToken.
signin_token = json.loads(r.read())

request_parameters = "?Action=login"
request_parameters += "&Issuer=sandbox.com"
request_parameters += "&Destination=" + urllib.quote_plus("https://console.aws.amazon.com/")
request_parameters += "&SigninToken=" + signin_token["SigninToken"]
request_url = "https://signin.aws.amazon.com/federation" + request_parameters

更新:我有两个策略附加到sandbox-amp_sandbox-dev角色-

InfraLoggingPolicyin 5398XXXXXXX

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:SendMessage",
                "sqs:SendMessageBatch"
            ],
            "Resource": "arn:aws:sqs:*:131703196249:org-logging-prod",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeInstances",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::em-log-intake-us-east-1-prod/*",
                "arn:aws:s3:::em-log-intake-us-west-2-prod/*"
            ]
        }
    ]
}

sandbox-amp_sandbox-policy-devin 5398XXXXXXX

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": "arn:aws:dynamodb:*:*:*"
        }
    ]
}

更新2.0以上策略来自我的账号5398XXXXXXX。我在4540XXXXXXXX帐户AMPSandboxRole中有以下角色,在该帐户下我有以下策略

AssumeRolein 4540XXXXXXXX

    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/AMPSandboxRole",
            "Action": "sts:AssumeRole"
        }
    ]
}

4540XXXXXXXX中的组织访问

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "organizations:Describe*",
                "organizations:List*",
                "organizations:CreateAccount",
                "organizations:MoveAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:MoveAccount"
            ],
            "Resource": "arn:aws:organizations::454084028794:root/o-eyec2h6qr0/r-ekzh"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:*"
            ],
            "Resource": "arn:aws:organizations::45xxxxxxxxxx:ou/o-eyec2h6qr0/ou-ekzh-x2xcsupl"
        }
    ]
}

在45xxxxxxxxxx中更新3.0 信任关系

 {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::53xxxxxxxxxx:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
EN

回答 4

Stack Overflow用户

回答已采纳

发布于 2018-07-31 04:41:19

我终于能够和AWS团队的一些人一起计算出这个帐户。因此,无论何时从一个帐户承担角色到另一个帐户,我们都需要显式地提供我们承担角色的帐户的访问密钥和秘密密钥。所以它应该看起来像这样-

sts_connection = boto3.client('sts',
                                  aws_access_key_id="",
                                  aws_secret_access_key="")

在提供了这些详细信息后,我终于能够在另一个帐户中担任角色。感谢大家的指导和帮助。

票数 0
EN

Stack Overflow用户

发布于 2017-09-10 12:42:46

错误信息为:

AssumeRole用户: arn:aws:sts::5398XXXXXXX:assumed-role/sandbox-amp_sandbox-dev/sandbox-dev-amp_sandbox无权对

:arn:aws:iam::4540XXXXXXXX:role/AMPSandbox执行: sts:AssumeRole

AWS Lambda函数将在您上面列出的角色下执行。它只有权限调用dynamodb:*它还需要权限才能调用 AssumeRole**.**

您的策略应更新为:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermitDynamoDB",
      "Action": "dynamodb:*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "PermitAssumeRole",
      "Action": [
        "sts:AssumeRole"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iam::4540XXXXXXXX:role/AMPSandboxRole"
    }
  ]
}
票数 1
EN

Stack Overflow用户

发布于 2017-09-10 16:01:11

我想您忘记了信任关系策略文档中的主体条目:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermitAssumeRole",
      "Action": [
        "sts:AssumeRole"
      ],
       "Principal": {
        "Service": [
          "dynamodb.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Effect": "Allow",
      "Resource": "arn:aws:iam::4540XXXXXXXX:role/AMPSandboxRole"
    }
  ]
}

信任策略是一个JSON格式的文档,您可以在其中定义允许谁承担角色。此受信任实体作为文档中的主体元素包含在策略中。

因此,您的信任关系策略文档应在Principal元素中包含您期望承担此角色的AWS资源

票数 0
EN
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:

https://stackoverflow.com/questions/46135413

复制
相关文章

相似问题

领券
问题归档专栏文章快讯文章归档关键词归档开发者手册归档开发者手册 Section 归档