我有一个奇怪的问题,我似乎无处可去。我已经在线上关注了所有内容(有多个教程等),但是无法使sts.assumeRole正常工作。
我的设置:
我有一个机器人在Sub AWS账户1中运行,我需要从Main AWS账户获取价格信息。
因此,我在主AWS账户上创建了一个角色,以具有以下AWS ce:*访问权限:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ce:*"],
"Resource": ["*"]
}]
}
信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::SubAWSaccount1-ID:role/instance-profile"
},
"Action": "sts:AssumeRole"
}
]
}
现在,这是附加到在Sub AWS帐户1上运行的EC2实例的实例配置文件:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::mainAWSaccount-ID:role/botRole"
}
]
}
信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
好的,顺便说一下,这是不起作用的代码:
var AWS = require('aws-sdk');
var pricingAWS = new AWS.CostExplorer();
var getPricing = function(){
var costParams = {
TimePeriod: { Start: "2019-12-01 ", End: "2020-01-01"},
Granularity: 'MONTHLY',
Metrics: ['BlendedCost'],
Filter: {
Dimensions: {
Key: "LINKED_ACCOUNT",
Values: ["Sub AWS account 2s ID"] //Main AWS account has access to many sub accounts info. So bot in running on Sub account 1, I need info from Sub account 1, 2, 3 etc and Role is on Main account
}
}
};
var roleToAssume = {
RoleArn: 'arn:aws:iam::mainAWSaccount-ID:role/botRole',
RoleSessionName: 'testTestTest',
DurationSeconds: 900
};
var roleCreds = {};
sts.assumeRole(roleToAssume, function(err, data) {
if (err) {
console.log(err);
} else {
roleCreds = {
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken
};
pricingAWS.config.update({
accessKeyId: roleCreds.AccessKeyId,
secretAccessKey: roleCreds.SecretAccessKey,
sessionToken: roleCreds.SessionToken
});
}
});
pricingAWS.getCostAndUsage(costParams, function (err, data) {
if (err) {
reject(err);
}else{
resolve(data);
}
});
};
getPricing();
我从console.log(err)得到的是:
User: arn:aws:sts::SubAWSAccount-1:assumed-role/slack-instance-profile/instanceID is not authorized to perform: ce:GetCostAndUsage on resource: arn:aws:ce:us-east-1:SubAWSAccount-1:/GetCostAndUsage'
为了确认我的理解,您正在尝试从另一个帐户的ec2实例在一个帐户中扮演角色。
child
帐户中创建IAM角色main
通过附加IAM策略,允许上述新创建的角色假定该角色存在于帐户中。通过主要角色的信任策略允许子角色承担主要角色(您已经在执行此操作)将pricingAWS.getCostAndUsage()
行移入承担角色回调。因为该行是在更新凭据之前调用的:)。您还可以将所有内容更改为异步/等待,如下所示。
import AWS = require('aws-sdk');
var pricingAWS = new AWS.CostExplorer();
const sts = new AWS.STS()
var getPricing = async function () {
var costParams = {
TimePeriod: { Start: "2019-12-01 ", End: "2020-01-01" },
Granularity: 'MONTHLY',
Metrics: ['BlendedCost'],
Filter: {
Dimensions: {
Key: "LINKED_ACCOUNT",
Values: ["Sub AWS account 2s ID"] //Main AWS account has access to many sub accounts info. So bot in running on Sub account 1, I need info from Sub account 1, 2, 3 etc and Role is on Main account
}
}
};
var roleToAssume = {
RoleArn: 'arn:aws:iam::mainAWSaccount-ID:role/botRole',
RoleSessionName: 'testTestTest',
DurationSeconds: 900
};
var roleCreds = {};
try {
const data = await sts.assumeRole(roleToAssume).promise();
const roleCreds = {
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken
};
pricingAWS.config.update({
accessKeyId: roleCreds.accessKeyId,
secretAccessKey: roleCreds.secretAccessKey,
sessionToken: roleCreds.sessionToken
});
const costAndUsage = await pricingAWS.getCostAndUsage(costParams).promise()
return costAndUsage
} catch (err) {
console.log('error: ', err);
throw err;
}
};
getPricing();
希望这可以帮助。
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句