Java 无法使用IAM用户担任第三方AWS帐户的角色'；s访问密钥_Java_Amazon Web Services_Sts Securitytokenservice_Assume Role

Java 无法使用IAM用户担任第三方AWS帐户的角色'；s访问密钥

java amazon-web-services

Java 无法使用IAM用户担任第三方AWS帐户的角色'；s访问密钥,java,amazon-web-services,sts-securitytokenservice,assume-role,Java,Amazon Web Services,Sts Securitytokenservice,Assume Role,我正在尝试使用带有SecurityAudit角色的假定角色函数为第三方AWS帐户授予访问我的AWS帐户的权限，类似于。我按照中的说明为第三方帐户分配了一个名为testing的角色，在这里我将获得类似这样的信任关系（我还添加了第三方的IAM用户，因为它将使用他的访问密钥访问我的AWS帐户）：然后我按照下面的代码进行操作： AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()

我正在尝试使用带有SecurityAudit角色的假定角色函数为第三方AWS帐户授予访问我的AWS帐户的权限，类似于。我按照中的说明为第三方帐户分配了一个名为testing的角色，在这里我将获得类似这样的信任关系（我还添加了第三方的IAM用户，因为它将使用他的访问密钥访问我的AWS帐户）：

然后我按照下面的代码进行操作：

AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
                                                    .withCredentials(new ProfileCredentialsProvider())
                                                    .withRegion(clientRegion)
                                                    .build();

            // Obtain credentials for the IAM role. Note that you cannot assume the role of an AWS root account;
            // Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.
            AssumeRoleRequest roleRequest = new AssumeRoleRequest()
                                                    .withRoleArn(roleARN)
                                                    .withRoleSessionName(roleSessionName);
            AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
            Credentials sessionCredentials = roleResponse.getCredentials();

但当第三方运行代码时，它收到如下错误：

Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::thirdparty:user/TestOne is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::myaccount:role/testing(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1632)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1304)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1058)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:743)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:717)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:699)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:667)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:649)
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:513)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1307)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1283)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:466)
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:442)

因此，如果第三方AWS帐户希望使用其访问密钥对我的帐户进行安全审核，应如何正确配置该密钥？

错误表明

arn:aws:iam::thirdparty:user/TestOne

is无法承担感兴趣的角色
在您的问题中，您正确地允许
arn:aws:iam:：thirdparty:root
担任此角色。但这仍然是没有给
TestOne
IAM用户同样的权限
要解决这个问题，
thirdparty
account的管理员/root必须明确允许
IAM userTestOne 在您的帐户中sts:AssumeRole 例如，thirdparty 帐户可以向TestOne 用户添加内联策略等权限。显然，也可以使用客户管理的策略或其他IAM机制来完成。但内联策略似乎是最快、最容易测试的 arn:aws:iam::thirdparty:user/TestOne