我遇到了一个奇怪的问题,一直无法解决。我已经按照网上的指导(多个教程等)进行了操作,但无法让 sts.assumeRole 起作用。
我的设置如下:
- 主 AWS 帐户(用于计费、IAM 等)
- 子 AWS 帐户 1(用于客户 1)
- 子 AWS 帐户 2(用于客户 2)
- 等等
我在 子 AWS 帐户 1 中运行着一个机器人,需要从 主 AWS 帐户 获取定价信息。
所以,我在 主 AWS 帐户 上创建了一个角色,拥有 AWS ce:* 访问权限,如下:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["ce:*"],
"Resource": ["*"]
}]
}
信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::SubAWSaccount1-ID:role/instance-profile"
},
"Action": "sts:AssumeRole"
}
]
}
现在,这是附加到在Sub AWS账户1上运行的EC2实例的实例配置文件:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::mainAWSaccount-ID:role/botRole"
}
]
}
信任关系
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
好的,既然如此,这是未能正常工作的代码:
好的,请注意,这是未能正常工作的代码:
var AWS = require('aws-sdk');
var pricingAWS = new AWS.CostExplorer();
var getPricing = function(){
var costParams = {
TimePeriod: { Start: "2019-12-01 ", End: "2020-01-01"},
Granularity: 'MONTHLY',
Metrics: ['BlendedCost'],
Filter: {
Dimensions: {
Key: "LINKED_ACCOUNT",
Values: ["Sub AWS account 2s ID"] //Main AWS account has access to many sub accounts info. So bot in running on Sub account 1, I need info from Sub account 1, 2, 3 etc and Role is on Main account
}
}
};
var roleToAssume = {
RoleArn: 'arn:aws:iam::mainAWSaccount-ID:role/botRole',
RoleSessionName: 'testTestTest',
DurationSeconds: 900
};
var roleCreds = {};
sts.assumeRole(roleToAssume, function(err, data) {
if (err) {
console.log(err);
} else {
roleCreds = {
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken
};
pricingAWS.config.update({
accessKeyId: roleCreds.AccessKeyId,
secretAccessKey: roleCreds.SecretAccessKey,
sessionToken: roleCreds.SessionToken
});
}
});
pricingAWS.getCostAndUsage(costParams, function (err, data) {
if (err) {
reject(err);
}else{
resolve(data);
}
});
};
getPricing();
我从console.log(err)中获取的结果是:
User: arn:aws:sts::SubAWSAccount-1:assumed-role/slack-instance-profile/instanceID is not authorized to perform: ce:GetCostAndUsage on resource: arn:aws:ce:us-east-1:SubAWSAccount-1:/GetCostAndUsage'
roleCreds.AccessKeyId
,但是您正在设置roleCreds = { accessKeyId: 'value'}
。应该是小写的access
而不是大写。祝好运。 - Arun Kamalanathan