我正在通过代码构建运行 Terraform,并尝试在另一个帐户中担任角色,并收到此错误:
AWS Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: <idhere>, api error AccessDenied: User: arn:aws:sts::00000000:assumed-role/my_acct_role/AWSCodeBuild-30468110-5eb8-4da8-b7e9-456841e8a282 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::11111111:role/role_in_dest_acct
我在代码构建中的服务角色是这样配置的
serviceRole='arn:aws:iam::00000000:role/my_acct_role',
我对正在发生的事情的猜测是服务角色正在承担运行代码构建角色,因此无法将承担角色请求发送给另一个帐户,因为它不是来自为 AssumeRole 策略提供的委托人。
完整的 IAM 政策: 在 00000000 帐户(运行代码构建的地方)
信任关系:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [ "arn:aws:iam::11111111:role/role_in_dest_acct"],
"Service": [
"codebuild.amazonaws.com",
"apigateway.amazonaws.com",
"lambda.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}
政策:
{
"Id": "default",
"Statement": [
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::00000000:role/my_acct_role",
"Sid": "AllowPassRole"
},
{
"Action": [
"codebuild:StartBuild",
"codebuild:CreateProject"
],
"Effect": "Allow",
"Resource": "arn:aws:codebuild:us-east-1:00000000:project/*",
"Sid": "AllowCodeBuildCreateAndStart"
},
{
"Action": [
"codecommit:*
],
"Effect": "Allow",
"Resource": "arn:aws:codecommit:us-east-1:00000000:my_acct_role",
"Sid": "AllowCodeCommit"
}
],
"Version": "2012-10-17"
}
在 11111111 帐户(我部署到的地方)
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::0000000:role/my_acct_role",
]
},
"Action": [
"sts:AssumeRole",
"sts:TagSession",
"sts:SetSourceIdentity"
]
}
]
}