Amazon web services AWSSecurityTokenServiceException:拒绝访问。用户无权执行sts:AssumeRole
我是aws的新手。我想为aws调用生成临时凭据。为此,我使用了 我经过的地方Amazon web services AWSSecurityTokenServiceException:拒绝访问。用户无权执行sts:AssumeRole,amazon-web-services,aws-cognito,aws-java-sdk,aws-sts,Amazon Web Services,Aws Cognito,Aws Java Sdk,Aws Sts,我是aws的新手。我想为aws调用生成临时凭据。为此,我使用了 我经过的地方 String clientRegion = "<specific region>"; String roleARN = "<ARN from role>"; String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName? String bucketName = "&
String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";
出错
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:
用户:arn:aws:iam:::用户/无权执行:
sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:
收到错误响应:com.amazonaws.services.s3.model.amazons3异常:拒绝访问服务:amazons3;状态代码:403;错误代码:AccessDenied;请求ID:,S3扩展请求ID:看起来您缺少策略中的操作S3:ListBucket。此操作针对bucket资源。此外,出于安全原因,您还应删除上面在最新更新中发布的策略中的帐户id。
sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "<user pool ID>"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<sidId1>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<path>*"
]
},
{
"Sid": "sidId2",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": [
"arn:aws:iam::<ID>:role/<ROLE_NAME>"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com",
"AWS": "arn:aws:iam::<ID>:user/<USER>"
},
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
]
}
]
}
// Verify that assuming the role worked and the permissions are set correctly
// by getting a set of object keys from the bucket.
ObjectListing objects = s3Client.listObjects(bucketName);