Fatal编程技术网
  • amazon-web-services/
  • Amazon web services AWSSecurityTokenServiceException:拒绝访问。用户无权执行sts:AssumeRole

Amazon web services AWSSecurityTokenServiceException:拒绝访问。用户无权执行sts:AssumeRole

amazon-web-services

Amazon web services AWSSecurityTokenServiceException:拒绝访问。用户无权执行sts:AssumeRole,amazon-web-services,aws-cognito,aws-java-sdk,aws-sts,Amazon Web Services,Aws Cognito,Aws Java Sdk,Aws Sts,我是aws的新手。我想为aws调用生成临时凭据。为此,我使用了 我经过的地方 String clientRegion = "<specific region>"; String roleARN = "<ARN from role>"; String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName? String bucketName = "&

我是aws的新手。我想为aws调用生成临时凭据。为此,我使用了

我经过的地方

String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";
出错

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 用户:arn:aws:iam:::用户/无权执行:

sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:
收到错误响应:com.amazonaws.services.s3.model.amazons3异常:拒绝访问服务:amazons3;状态代码:403;错误代码:AccessDenied;请求ID:,S3扩展请求ID:

看起来您缺少策略中的操作S3:ListBucket。此操作针对bucket资源。此外,出于安全原因,您还应删除上面在最新更新中发布的策略中的帐户id。 
sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "<user pool ID>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<sidId1>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<path>*"
            ]
        },
        {
            "Sid": "sidId2",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Resource": [
                "arn:aws:iam::<ID>:role/<ROLE_NAME>"
            ]
        }
    ]
}

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com",
        "AWS": "arn:aws:iam::<ID>:user/<USER>"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:AssumeRoleWithWebIdentity"
      ]
    }
  ]
}

  // Verify that assuming the role worked and the permissions are set correctly
  // by getting a set of object keys from the bucket.
  ObjectListing objects = s3Client.listObjects(bucketName);