AWS STS AssumeRole:是否需要 IAM 用户凭证?
AWS STS AssumeRole: Are IAM user credentials needed, or not?
冲突文档
关于 AssumeRole 的 documentation here 似乎在一个连续的块中自相矛盾:
You must call this API using existing IAM user credentials. For more
information, see Creating a Role to Delegate Permissions to an IAM
User and Configuring MFA-Protected API Access.
This is an unsigned call, meaning that the app does not need to have
access to any AWS security credentials in order to make the call.
对矛盾进行了加粗强调。
代码示例
code sample provided here 似乎确实需要凭据:
AmazonSecurityTokenServiceClient securityTokenServiceClient = new AmazonSecurityTokenServiceClient(
Config.AccessKey,
secretKeyAsString,
securityTokenServiceConfig);
…
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest
{
DurationSeconds = sessionDurationSec,
RoleArn = roleArn,
RoleSessionName = awsUsername,
ExternalId = groupSid
};
…
assumeRoleResponse = securityTokenServiceClient.AssumeRole(assumeRoleRequest);
总结
哪个是真的?代码示例中的请求真的是多余的吗?
谢谢!
AssumeRole API 调用 确实需要现有的 AWS 凭证。
为了担任 IAM 角色,必须使用一组现有的凭据,以便 AWS 知道谁在担任该角色。这样 AWS 就可以验证代入方是否被允许代入角色。
在文档中:
This is an unsigned call, meaning that the app does not need to have access to any AWS security credentials in order to make the call.
这似乎是不正确的信息。
这确实是文档中的错误,正在更正中。 AssumeRole 确实需要现有的长期(IAM 用户)或临时凭证凭证才能调用。它是两个联合等效项,AssumeRoleWithSAML 和 AssumeRoleWithWebIdentity,无需凭据即可调用。抱歉造成混淆!
冲突文档
关于 AssumeRole 的 documentation here 似乎在一个连续的块中自相矛盾:
You must call this API using existing IAM user credentials. For more information, see Creating a Role to Delegate Permissions to an IAM User and Configuring MFA-Protected API Access.
This is an unsigned call, meaning that the app does not need to have access to any AWS security credentials in order to make the call.
对矛盾进行了加粗强调。
代码示例
code sample provided here 似乎确实需要凭据:
AmazonSecurityTokenServiceClient securityTokenServiceClient = new AmazonSecurityTokenServiceClient(
Config.AccessKey,
secretKeyAsString,
securityTokenServiceConfig);
…
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest
{
DurationSeconds = sessionDurationSec,
RoleArn = roleArn,
RoleSessionName = awsUsername,
ExternalId = groupSid
};
…
assumeRoleResponse = securityTokenServiceClient.AssumeRole(assumeRoleRequest);
总结
哪个是真的?代码示例中的请求真的是多余的吗?
谢谢!
AssumeRole API 调用 确实需要现有的 AWS 凭证。
为了担任 IAM 角色,必须使用一组现有的凭据,以便 AWS 知道谁在担任该角色。这样 AWS 就可以验证代入方是否被允许代入角色。
在文档中:
This is an unsigned call, meaning that the app does not need to have access to any AWS security credentials in order to make the call.
这似乎是不正确的信息。
这确实是文档中的错误,正在更正中。 AssumeRole 确实需要现有的长期(IAM 用户)或临时凭证凭证才能调用。它是两个联合等效项,AssumeRoleWithSAML 和 AssumeRoleWithWebIdentity,无需凭据即可调用。抱歉造成混淆!