我正在尝试调用实体解析API
IAM 用户详细信息:
我为 user1 生成了访问密钥和秘密,并在我的 Spring Boot 应用程序中使用它们。
附加到 user1 的策略(AssumeRolePolicy):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::004724176825:role/scv-er-poc-er-service-sbox"
}
]
}
角色详情 (
scv-er-poc-er-service-sbox
)。该角色附加了 AWSEntityResolutionConsoleFullAccess
策略。:
在受信任的实体中:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::004724176825:user/user1",
"Service": "entityresolution.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
尽管进行了策略和角色配置,仍会出现错误并显示以下消息:
User: arn:aws:iam::004724176825:user/user1 is not authorized to perform: entityresolution:GetMatchId on resource: arn:aws:entityresolution:eu-west.
此流程中缺少哪个步骤?
我的Java代码:
@Bean
public EntityResolutionClient entityResolutionClient() {
AwsCredentials credentials = AwsBasicCredentials.create("<Access key>",
"<Secret>");
StaticCredentialsProvider staticProvider = StaticCredentialsProvider.create(credentials);
Region region = Region.EU_WEST_1;
EntityResolutionClient entityResolutionClient = EntityResolutionClient.builder()
.region(region)
.credentialsProvider(staticProvider)
.build();
return entityResolutionClient;
}
您必须首先承担该角色,然后使用这些凭据(因为他们有权通过
AWSEntityResolutionConsoleFullAccess
进行呼叫)。
承担角色示例:
RoleArn=assume_role_arn,
RoleSessionName=session_name,
SerialNumber=mfa_serial_number,
TokenCode=mfa_totp,
)
temp_credentials = response["Credentials"]
print(f"Assumed role {assume_role_arn} and got temporary credentials.")
s3_resource = boto3.resource(
"s3",
aws_access_key_id=temp_credentials["AccessKeyId"],
aws_secret_access_key=temp_credentials["SecretAccessKey"],
aws_session_token=temp_credentials["SessionToken"],
)
print(f"Listing buckets for the assumed role's account:")
for bucket in s3_resource.buckets.all():
print(bucket.name)