AWS AssumeRole授权不起作用
我试图在我的PHP程序中使用AWS sts调用AssumeRole函数,因为我想创建临时凭证以允许用户为AWS存储桶创建对象.
I am attempting to call the AssumeRole function using AWS sts in my PHP program since I want to create temporary credentials to allow a user to create an object for an AWS bucket.
以下是我所说的PHP的功能:
Below is the fumction I am calling PHP:
$sts = StsClient::factory(array(
'key' => 'XXXXXXXXXXXXXX',
'secret' => 'XXXXXXXXXXXXXXXX',
'token.ttd' => $timetodie
));
$bucket = "mybucket";
$result1 = $sts->assumeRole(array(
'RoleArn' => 'arn:aws:iam::123456789012:role/createPic',
'RoleSessionName' => 'mytest',
'Policy' => json_encode(array(
'Statement' => array(
array(
'Sid' => 'Deny attributes',
'Action' => array(
's3:deleteObject',
's3:deleteBucket'
),
'Effect' => 'Deny',
'Resource' => array(
"arn:aws:s3:::{$bucket}",
"arn:aws:s3:::{$bucket}/AWSLogs/*"
),
'Principal' => array(
'AWS' => "*"
)
)
)
)
),
'DurationSeconds' => 3600,
// 'ExternalId' => 'string',
));
$credentials = $result1->get('Credentials');
但是,我不断收到以下错误消息:
However, I keep getting the following error:
用户arn:aws:iam :: 123456789012:user/TVM用户无权执行:资源上的sts:AssumeRole:arn:aws:iam :: 123456789012:role/createPic
User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic
以下是我在AWS控制台上对用户TVMUser的权限策略:
Below is my permissions policy for user TVMUser on my AWS console:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::791758789361:user/TVMUser"
},
{
"Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::791758789361:role/createPic"
}
]
}
以下是我的角色createPic的角色策略:
Below is my role policy for the role createPic:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/createPic"
}
]
}
现在有人在AWS策略声明和AWS上设置中缺少我的信息了吗,所以我没有收到错误:用户arn:aws:iam :: 123456789012:user/TVMUser无权执行:sts:AssumeRole关于资源:arn:aws:iam :: 123456789012:role/createPic?
Does anyone now what I am missing in my AWS policy statements and setup on AWS so I don't get the error: User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic?
我想念什么吗?
您还需要编辑该角色的信任"关系,以允许该帐户(即使是相同的)承担该角色.
You also need to edit the Trust relationship for the role to allow the account (even if it's the same) to assume the role.
- 在控制台中打开要承担的角色
- 点击信任关系"标签
- 点击编辑RelationShip"
- 为要添加的帐户添加一条对帐单(通常,受信任的实体"中只有ec2服务)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/some-role"
},
"Action": "sts:AssumeRole"
}
]
}
在此示例中,我必须添加具有正确帐号的"AWS"主体,ec2.amazonaws.com服务已经存在.
In this example I had to add the "AWS" principal with the proper account number, the ec2.amazonaws.com Service was already there.
完成此操作后,我可以毫无问题地担任这个角色.确实花了我几个小时来解决这个问题,希望对您有所帮助.
After I've done that I was able to assume the role without issue. Took me literally hours to figure this out, hope that will help someone.