Node.js 通过IAM授权人从EC2/ElasticBeanstalk获取API网关的临时凭据
我需要从弹性Beanstalk应用程序调用受IAM身份验证保护的API网关方法。但要创建签名请求,我需要访问/密钥和会话令牌。所以我尝试使用MetadataServiceNode.js 通过IAM授权人从EC2/ElasticBeanstalk获取API网关的临时凭据,node.js,amazon-web-services,aws-sdk,amazon-iam,api-gateway,Node.js,Amazon Web Services,Aws Sdk,Amazon Iam,Api Gateway,我需要从弹性Beanstalk应用程序调用受IAM身份验证保护的API网关方法。但要创建签名请求,我需要访问/密钥和会话令牌。所以我尝试使用MetadataService console.log('Using metadata service'); const metadata = new AWS.MetadataService(); const metadataRequest = util .promisify(metadata.request) .bind(metadata)
console.log('Using metadata service');
const metadata = new AWS.MetadataService();
const metadataRequest = util
.promisify(metadata.request)
.bind(metadata);
const data = await metadataRequest(
'/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance'
);
sessionData = JSON.parse(data);
console.log(
'typeof sessionData',
typeof sessionData,
sessionData.Token
);
sessionData = {
...sessionData,
SessionToken: sessionData.Token
};
但当我调用API时,我得到:
[9d3a82369277]GFX500000错误:请求失败,状态代码403
错误
(/var/app/current/node_modules/aws api网关客户端/node_modules/axios/lib/core/createError.js:16:15)
在结算时
(/var/app/current/node_modules/aws api网关客户端/node_modules/axios/lib/core/solite.js:18:12)
在IncomingMessage.handleStreamEnd
(/var/app/current/node_modules/aws api网关客户端/node_modules/axios/lib/adapters/http.js:202:11)
在IncomingMessage.emit(events.js:203:15)处
endReadableNT处的IncomingMessage.EventEmitter.emit(domain.js:448:20)
(_stream_readable.js:1129:12)在
/var/app/current/node_modules/async listener/glue.js:188:31 at
进程。_tick回调(internal/process/next_tick.js:63:19)
我也尝试过使用getSessionToken
,但我意识到我不能这样做,因为我使用的是一个角色
然后我试着扮演这个角色
console.log('Assuming role');
sessionData = await sts
.assumeRole({
RoleArn:
'arn:aws:iam::906981349885:role/genflix-beanstalk-ec2-role',
RoleSessionName: 'genflix-eb'
})
.promise();
console.log(sessionData);
sessionData = sessionData.Credentials;
其中,我承担与当前EC2相同的角色,但得到:
AccessDenied: Access denied
at Request.extractError (/var/app/current/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/app/current/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/app/current/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/app/current/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/app/current/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/app/current/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/app/current/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at Request.emit (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/app/current/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/app/current/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/app/current/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/app/current/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/app/current/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/app/current/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at callNextListener (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:96:12)
at IncomingMessage.onEnd (/var/app/current/node_modules/aws-sdk/lib/event_listeners.js:307:13)
at IncomingMessage.emit (events.js:203:15)
at IncomingMessage.EventEmitter.emit (domain.js:448:20)
at endReadableNT (_stream_readable.js:1129:12)
at /var/app/current/node_modules/async-listener/glue.js:188:31
at process._tickCallback (internal/process/next_tick.js:63:19)
AccessDenied:访问被拒绝
at Request.extractError(/var/app/current/node_modules/aws sdk/lib/protocol/query.js:50:29)
at Request.callListeners(/var/app/current/node_modules/aws sdk/lib/sequential_executor.js:106:20)
at Request.emit(/var/app/current/node_modules/aws sdk/lib/sequential_executor.js:78:10)
at Request.emit(/var/app/current/node_modules/aws sdk/lib/Request.js:683:14)
at Request.transition(/var/app/current/node_modules/aws sdk/lib/Request.js:22:10)
在AcceptorStateMachine.runTo(/var/app/current/node_modules/aws sdk/lib/state_machine.js:14:12)
at/var/app/current/node_modules/aws sdk/lib/state_machine.js:26:10
应要求。(/var/app/current/node_modules/aws sdk/lib/request.js:38:9)
应要求。(/var/app/current/node_modules/aws sdk/lib/request.js:685:12)
at Request.callListeners(/var/app/current/node_modules/aws sdk/lib/sequential_executor.js:116:18)
at Request.emit(/var/app/current/node_modules/aws sdk/lib/sequential_executor.js:78:10)
at Request.emit(/var/app/current/node_modules/aws sdk/lib/Request.js:683:14)
at Request.transition(/var/app/current/node_modules/aws sdk/lib/Request.js:22:10)
在AcceptorStateMachine.runTo(/var/app/current/node_modules/aws sdk/lib/state_machine.js:14:12)
at/var/app/current/node_modules/aws sdk/lib/state_machine.js:26:10
应要求。(/var/app/current/node_modules/aws sdk/lib/request.js:38:9)
应要求。(/var/app/current/node_modules/aws sdk/lib/request.js:685:12)
at Request.callListeners(/var/app/current/node_modules/aws sdk/lib/sequential_executor.js:116:18)
在callNextListener(/var/app/current/node_modules/aws sdk/lib/sequential_executor.js:96:12)
在IncomingMessage.onEnd(/var/app/current/node_modules/aws sdk/lib/event_listeners.js:307:13)
在IncomingMessage.emit(events.js:203:15)
在IncomingMessage.EventEmitter.emit(domain.js:448:20)
在endReadableNT(_stream_readable.js:1129:12)
at/var/app/current/node_modules/async listener/glue.js:188:31
在进程中。_tick回调(内部/process/next_tick.js:63:19)
我应该用什么 我建议为API网关生成SDK,并在代码中使用它