我正在尝试生成临时凭证访问密钥和密钥。我用过assumeRole。描述说它生成访问密钥和密钥。但GetSessionTokenResult也可以生成访问密钥和密钥。然后是什么使用assumeRole?
AWSSecurityTokenService awsSecurityTokenService =
AWSSecurityTokenServiceClientBuilder
.standard().withCredentials(new ProfileCredentialsProvider())
.withRegion(region).build();
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
.withRoleArn(
"arn:aws:iam::account-id:role/p-27c229ade194_ec2")
.withRoleSessionName("RedshiftSession");
AssumeRoleResult assumeRoleResult = awsSecurityTokenService
.assumeRole(assumeRoleRequest);
GetSessionTokenRequest getSessionTokenRequest = new GetSessionTokenRequest();
getSessionTokenRequest.setDurationSeconds(1200);
GetSessionTokenResult getSessionTokenResult = awsSecurityTokenService
.getSessionToken(getSessionTokenRequest);
Credentials sessionCredentials = getSessionTokenResult.getCredentials();
final String adminAccessKeyId = sessionCredentials.getAccessKeyId();
final String adminAccessSecretKey = sessionCredentials
.getSecretAccessKey();
之前使用assumeRole它显示错误=> aws:iam :: user / admin不是sts:assumeRole on resource role aws:iam :: role / role_id通过在role_id的信任关系中添加aws:iam :: user / admin它起作用。
如果我将注释掉AccessRole及其他被调用的类。我可以生成访问密钥和密钥。什么是使用assumeRole的目的?
根据您的要求,有several methods to obtain temporary credentials:
此外,AssumeRole可用于获取跨帐户访问权限。例如,帐户A中的用户可以在帐户B中担任角色,该帐户B授予对帐户B中资源的访问权限。这不可能通过GetSessionToken实现。
我总是觉得这篇文章对解释这些差异很有用:Understanding the API Options for Securely Delegating Access to Your AWS Account | AWS Security Blog