Powershell：使用临时凭证访问AWS s3存储桶

Posted 2021-05-07

我想首先创建临时凭证，然后为该用户承担角色。使用该临时凭证，我想访问s3存储桶以对它们执行某些操作。但是当我尝试使用临时accessKey和secretKey访问存储桶时，我们的记录中不存在像AWS访问密钥ID这样的抛出执行。请帮我解决。

P.S：我是PowerShell的新手（使用v2.0）。

param([String]$profile , [string]$mfaVal)

function Get-IniContent ($filePath)
{
    $ini = @{}
    switch -regex -file $FilePath
    { 
    “^[(.+)]” # Section
        {
            $section = $matches[1]
            $ini[$section] = @{}
            $CommentCount = 0
        }
    “^(;.*)$” # Comment
        {
            $value = $matches[1]
            $CommentCount = $CommentCount + 1
            $name = “Comment” + $CommentCount
       # $ini[$section][$name] = $value
        } 
    “(.+?)s*=(.*)” # Key
        {
            $name,$value = $matches[1..2]
            $ini[$section][$name] = $value
        }
    }
    return $ini
}

Add-Type -Path "C:Program Files (x86)AWS SDK for .NETpast-releasesVersion-1AWSSDK.dll"

Write-Host $psboundparameters.count

if ($psboundparameters.count -lt 2){
    echo "
Wrong parameter values. Please see the usage below. 

    Usage: Get_s3_bucket_objects.ps1 [profile name (test | preprod | prod)] [MFA code]

";
    exit;
}

$ini = Get-IniContent “C:UsersDesktopconfig.ini”

$bucket = $ini[$profile]["bucketName"]
$accountID = $ini[$profile]["accountID"]
$encKey = $ini[$profile]["encKey"]
$userName =$ini[$profile]["userName"]
$secretKey =$ini[$profile]["secret"]
$accessKey =$ini[$profile]["key"]

Set-AWSCredentials -AccessKey AAHSAI2ER4FDQ -SecretKey BaxkYl9eR/0X9SJTmIy/sajdfgav -StoreAs TestProfile

Initialize-AWSDefaults -ProfileName TestProfile -Region us-east-1

$mfa = "arn:aws:iam::$accountID:mfa/testUser"
$roleArn = "arn:aws:iam::$accountID:role/download-for-signing"
$sessionName = "session_name"

$role = Use-STSRole -RoleArn $roleArn -RoleSessionName $sessionName -DurationInSeconds 900 -ExternalId testUser -SerialNumber $mfa -TokenCode $mfaVal -StoredCredentials TestProfile

$tempAccessKey = $role.Credentials.AccessKeyId
$tempSecretKey = $role.Credentials.SecretAccessKey

$client=[Amazon.AWSClientFactory]::CreateAmazonS3Client($tempAccessKey,$tempSecretKey)
$client.ListBuckets()

Clear-AWSCredentials -StoredCredentials TestProfile

获得例外情况：

"Exception calling "ListBuckets" with "0" argument(s): "The AWS Access Key Id you provided does not exist in our records." At C:UsersDesktopGet_s3_bucket_objects.ps1:91 char:20 + $client.ListBuckets <<<< ()
+ CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : DotNetMethodException

答案

我在R中使用aws.s3包时遇到了类似的错误。当我从AWS复制访问密钥ID和密钥并将它们粘贴到我在这些行中的代码时，我发现我正在拾取额外的非文本字符。

$secretKey =$ini[$profile]["secret"]
$accessKey =$ini[$profile]["key"]

我重写了第一个和最后几个字母和引号，并且很好。