aws sts假定角色返回被屏蔽的“ ***”的accesskeyid

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了aws sts假定角色返回被屏蔽的“ ***”的accesskeyid相关的知识,希望对你有一定的参考价值。

我正在代码构建映像中调用sts assume role,并且响应凭证具有这样的accessKeyId = "***"

[还尝试从本地计算机执行相同的命令时得到了正确的accesskeyId。对我在这里缺少什么有任何想法吗?

请求:

aws sts assume-role --role-arn arn:aws:iam::11111111:role/codepipeline_role --role-session-name codepipeline_role

样本回复: "AssumedRoleUser": "Arn": "arn:aws:sts::111111111111:assumed-role/codepipeline_role/codepipeline-role", "AssumedRoleId": "AROA6DS4I2EQXD2H5OXYE:codepipeline-role" , "Credentials": "AccessKeyId": "***", "Expiration": "2020-01-04T16:23:56Z", "SecretAccessKey": "SecretAccessKey", "SessionToken": "sessionTOken"

提前感谢!

答案

您可以尝试使用这些值吗?回声时可能会掩盖它。

version: 0.2
phases:
  install:
    commands:
      - apt-get update
      - apt-get install -y jq
      - RESPONSE=$(aws sts assume-role --role-arn arn:aws:iam::123456789012:role/CLIRole --role-session-name `date "+%Y%m%d_%H%M%S"`)
      - export AWS_ACCESS_KEY_ID=$(echo $RESPONSE | jq -r '.Credentials.AccessKeyId')
      - export AWS_SECRET_ACCESS_KEY=$(echo $RESPONSE | jq -r '.Credentials.SecretAccessKey')
      - export AWS_SESSION_TOKEN=$(echo $RESPONSE | jq -r '.Credentials.SessionToken')
      #- Your aws cli command here...

编辑1:

使用以下buildspec(从CodePipeline调用CodeBuild进行了检查,可以确认角色假设已成功。 “ ***”仅在您回显时才被掩盖:

version: 0.2 

phases: 
  install: 
    runtime-versions: 
      nodejs: 8 
    commands: 
      - ASSUME_ROLE_ARN="arn:aws:iam::123456789012:role/Shariq-Assumption-Test-Role" 
      - aws sts get-caller-identity 
      - TEMP_ROLE=`aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name test` 
      - export TEMP_ROLE 
      - echo $TEMP_ROLE 
      - export AWS_ACCESS_KEY_ID=$(echo "$TEMP_ROLE" | jq -r '.Credentials.AccessKeyId') 
      - export AWS_SECRET_ACCESS_KEY=$(echo "$TEMP_ROLE" | jq -r '.Credentials.SecretAccessKey') 
      - export AWS_SESSION_TOKEN=$(echo "$TEMP_ROLE" | jq -r '.Credentials.SessionToken') 
      - echo $AWS_ACCESS_KEY_ID 
      - echo $AWS_SECRET_ACCESS_KEY 
      - echo $AWS_SESSION_TOKEN 
      - aws sts get-caller-identity  

'Shariq-Assumption-Test-Role'具有以下信任策略:


  "Version": "2012-10-17",
  "Statement": [
    
      "Effect": "Allow",
      "Principal": 
        "AWS": "arn:aws:iam::12345678910:root",
        "Service": "codebuild.amazonaws.com"
      ,
      "Action": "sts:AssumeRole"
    
  ]

此外,CodeBuild角色应具有sts:AssumeRole权限。

构建日志:

[Container] 2020/01/05 12:59:13 Running command ASSUME_ROLE_ARN="arn:aws:iam::123456789012:role/Shariq-Assumption-Test-Role" 

[Container] 2020/01/05 12:59:13 Running command aws sts get-caller-identity 
 
    "UserId": "AROAXTEXAMPLEQ22FQDC:AWSCodeBuild-xxxxxxxx-104c-42b9-b71c-ff3e8ad44b16", 
    "Account": "123456789012", 
    "Arn": "arn:aws:sts::123456789012:assumed-role/codebuild-build-from-cp-service-role/AWSCodeBuild-xxxxxxxx-104c-42b9-b71c-ff3e8ad44b16" 
 

[Container] 2020/01/05 12:59:18 Running command TEMP_ROLE=`aws sts assume-role --role-arn $ASSUME_ROLE_ARN --role-session-name test` 

[Container] 2020/01/05 12:59:18 Running command export TEMP_ROLE 

[Container] 2020/01/05 12:59:18 Running command echo $TEMP_ROLE 
 "Credentials":  "AccessKeyId": "***", "SecretAccessKey": "R9QuqToY4qkcEXAMPLESGmTGJi4QawzS", "SessionToken": "FwoGZXIvYXdzEA4aDIwhkn5nVvvFBeBxXSLGAZmE1/Kw0CA9a/PEUG6VXyHyTrVryYzyRDEPdFUlzhXjqBj9h5x/Cz5aX/61aR2qSEXAMPLEBqm7OsI3zD3KA3NIIAr/u+l9f8AGZz+Ii6AeUoLFrkvH7d7JINGvouRNdrulkbzbnAAtGQx+8K1DxR0w4TbPbld3hQJYanGf6I4v3EieJuRckqxloEO6gF9W9EsqsluOogJVJAziimu8fwBTJLaKyaqg2Rr6w4JqrIB9fUngEnif/ggbIrscuadGLhXe7bSRKCrerk5DzEGP1uiZwH3P/De9wIOOClq", "Expiration": "2020-01-05T13:59:18Z" , "AssumedRoleUser":  "AssumedRoleId": "AROAXTLSHEXAMPLE2TZT:test", "Arn": "arn:aws:sts::123456789012:assumed-role/Shariq-Assumption-Test-Role/test"   

[Container] 2020/01/05 12:59:18 Running command export AWS_ACCESS_KEY_ID=$(echo "$TEMP_ROLE" | jq -r '.Credentials.AccessKeyId') 

[Container] 2020/01/05 12:59:18 Running command export AWS_SECRET_ACCESS_KEY=$(echo "$TEMP_ROLE" | jq -r '.Credentials.SecretAccessKey') 

[Container] 2020/01/05 12:59:18 Running command export AWS_SESSION_TOKEN=$(echo "$TEMP_ROLE" | jq -r '.Credentials.SessionToken') 

[Container] 2020/01/05 12:59:18 Running command echo $AWS_ACCESS_KEY_ID 
*** 

[Container] 2020/01/05 12:59:18 Running command echo $AWS_SECRET_ACCESS_KEY 
R9QuqToY4qkct327ZEXAMPLEmTGJi4QawzS 

[Container] 2020/01/05 12:59:18 Running command echo $AWS_SESSION_TOKEN 
FwoGZXIvYXdzEA4aDIwhkn5nVvvFBeBxXSLGAZmE1/Kw0CA9a/PEUG6VXyHyTrVryYzyRDEPdFUlzhXjqBj9h5x/Cz5aX/61aR2qSGwqMEjJToh0Bqm7OsI3zD3K4ot7wAeUoLFrkvH7d7JINGvouRNdrulkbzbnAAtGQx+8K1DxR0w4TbPbld3hQJYanEXAMPLE0h3U5xLXykuEcvOnuV6gF9W9EsqsluOogJVJAziimu8fwBTJLaKyaqg2Rr6w4JqrIB9fUngEnif/ggbIrscuadGLhXe7bSRKCrerk5DzEGPzqyMFCH+DHYsbeIeqXkbFYW1uiZwH3P/De9wIOOClq 

[Container] 2020/01/05 12:59:18 Running command aws sts get-caller-identity 
 
    "UserId": "AROAXTLEXAMPLELVE2TZT:test", 
    "Account": "123456789012", 
    "Arn": "arn:aws:sts::123456789012:assumed-role/Shariq-Assumption-Test-Role/test" 

以上是关于aws sts假定角色返回被屏蔽的“ ***”的accesskeyid的主要内容,如果未能解决你的问题,请参考以下文章

配置 gsutil .boto 文件以使用 AWS STS 假设角色

AWS Lambda:即使在STS:AssumeRole成功之后,lambda函数仍然使用旧的IAM角色

使用具有 Web 身份的假定角色执行 AWS Lambda

有啥方法可以限制 IAM 用户/假定角色在 AWS cognito 中启用未经身份验证的用户身份?

通过 boto3 担任 IAM 用户角色时访问被拒绝

使用 AWS CloudTrail 记录 IAM 和 AWS STS API 调用