无权执行:资源上的 sts:TagSession:***
Posted
技术标签:
【中文标题】无权执行:资源上的 sts:TagSession:***【英文标题】:Not authorized to perform: sts:TagSession on resource: *** 【发布时间】:2021-12-21 07:35:04 【问题描述】:我正在尝试运行 GitHub 操作以在 AWS 上的暂存服务器上进行数据库迁移。
name: db migration for stg.
on:
push:
branches:
- staging
paths:
- api/db/migrate/**
jobs:
migration:
name: DB Migration
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Configure AWS credentials
uses: aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: $ secrets.AWS_ACCESS_KEY_ID
aws-secret-access-key: $ secrets.AWS_SECRET_ACCESS_KEY
role-to-assume: $ secrets.AWS_ASSUME_ROLE_ARN_STG
role-duration-seconds: 1200
aws-region: ap-northeast-1
- uses: ruby/setup-ruby@v1
with:
ruby-version: '2.7.2'
- name: ssh configure
env:
SSH_SECRET_KEY: $ secrets.SSH_SECRET_KEY
run: |
mkdir -p ~/.ssh && touch ~/.ssh/config
echo 'host i-* mi-*' >> ~/.ssh/config
echo ' ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"' >> ~/.ssh/config
echo $SSH_SECRET_KEY | base64 -d > ~/.ssh/id_rsa2
chmod 0600 ~/.ssh/id_rsa2
- name: db migration
env:
RAILS_ENV: <env>
RAILS_MASTER_KEY: <key>
RDS_HOSTNAME: 127.0.0.1
RDS_DB_NAME: <db_name>
RDS_USERNAME: <username>
RDS_PASSWORD: <password>
RDS_PORT: 9999
STEP_SERVER_ID: <id>
DB_HOST: <host>
working-directory: ./api
run: |
ssh -f -N -L $RDS_PORT:$DB_HOST:3306 -i ~/.ssh/id_rsa2 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ssm-user@$STEP_SERVER_ID
sudo apt-get -yqq install libpq-dev
gem install bundler
bundle install --jobs 4 --retry 3
bundle exec rails db:migrate
运行此操作时出现此错误的原因可能是什么?尝试了许多步骤来缩小问题的原因,无论是由assumable_role
还是秘密值错误或信任关系等引起的。能否提出可能导致此问题的原因?
Run aws-actions/configure-aws-credentials@v1
with:
aws-access-key-id: ***
aws-secret-access-key: ***
role-to-assume: ***
role-duration-seconds: 1200
aws-region: ap-northeast-1
Error: User: arn:aws:iam::***:user/github_user is not authorized to perform: sts:TagSession on resource: ***
github_user
的政策总结
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": "sts:*",
"Resource": "*"
]
【问题讨论】:
【参考方案1】:我想通了。 答案在文档中非常巧妙,但是您必须授予用户 sts:TagSession 的权限,然后将相同的权限添加到您所承担的角色的权限策略中。
IAM 用户政策
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::11111111111:role/RoleToAssume",
]
]
对正在担任的角色的信任关系
"Version": "2012-10-17",
"Statement": [
"Sid": "",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::00000000000:user/UserFromAbove"
,
"Action": [
"sts:AssumeRole",
"sts:TagSession"
]
]
【讨论】:
如果您遇到:请求的 DurationSeconds 超过了为此角色设置的 MaxSessionDuration。确保您还添加:role-duration-seconds: 1200 对我来说这是一个问题,不知何故,信任关系策略中的 IAM 用户是用户的访问密钥。将其替换为用户的 ARN 即可解决问题。【参考方案2】:添加到 Chris 显然有助于解决这个问题:
当您使用OIDC
创建角色时。它有一个trust relationship
。这意味着必须将一些 Github Actions
添加到它作为 principle
并且它将假定该角色以及该角色具有的任何权限将应用于联合 OIDC 身份 Federated": "arn:aws:iam::636521895949:oidc-provider/token.actions.githubusercontent.com"
在这种情况下 - Github Actions。
此外,用户必须在那里使用AWS STS
提供短期令牌,因此 GitHub 操作可以承担该角色。所以,Principal": "AWS": "arn:aws:iam::636527382793:user/<UserName>"
应该有 "Action": "sts:AssumeRole"
。
这意味着 角色的信任关系 可能如下所示,因为不允许将操作放入列表中 Action": ["sts:AssumeRole", "sts:TagSession"]
:
让我们称这个角色为s3RoleForGitHubActions
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal":
"Federated": "arn:aws:iam::6363891738271:oidc-provider/token.actions.githubusercontent.com"
,
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition":
"StringEquals":
"token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
,
"StringLike":
"token.actions.githubusercontent.com:sub": "repo:github.com/GitHubProfile/GithubRepo/*"
,
"Sid": "",
"Effect": "Allow",
"Principal":
"AWS": "AWS: "arn:aws:iam::6365738978321:user/UserName"
,
"Action": "sts:AssumeRole"
,
"Sid": "",
"Effect": "Allow",
"Principal":
"AWS": "arn:aws:iam::6365738978321:user/UserName"
,
"Action": "sts:TagSession"
]
最后,我们需要为IAM User
提供一个策略,允许它自己承担我们创建的角色,所以IAM 用户策略:
"Version": "2012-10-17",
"Statement": [
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:TagSession"
],
"Resource": [
"arn:aws:iam::63738127982:role/s3RoleForGitHubActions"
]
]
【讨论】:
以上是关于无权执行:资源上的 sts:TagSession:***的主要内容,如果未能解决你的问题,请参考以下文章
AccessDeniedException:用户无权对资源执行 dynamodb BatchWriteItem:表
AWS Lambda:提供的执行角色无权调用 EC2 上的 DescribeNetworkInterfaces