AWS 配置选项 source_profile 在调用 AssumeRole 操作时导致 AccessDenied
AWS config option source_profile results in AccessDenied when calling AssumeRole operation
我正在使用 credentials 和 config 文件在 Windows 10 配置上设置 AWS cli。在 config 文件中,我定义了一个 config_profile 并在其中使用 source_profile 到 link 它以及在 credentials.
中定义的配置文件
当我 运行 aws configure list --profile config_profile 我得到:
An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
您是否允许进行切换?查看 https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html。
When you create a role for cross-account access, you establish trust
from the account that owns the role and the resources (trusting
account) to the account that contains the users (trusted account). To
do this, you specify the trusted account number as the Principal in
the role's trust policy. That allows potentially any user in the
trusted account to assume the role. To complete the configuration, the
administrator of the trusted account must give specific groups or
users in that account permission to switch to the role.
To grant a user permission to switch to a role, you create a new
policy for the user or edit an existing policy to add the required
elements.
A policy that grants a user permission to assume a role must include a
statement with the Allow effect on the following:
The sts:AssumeRole action
The Amazon Resource Name (ARN) of the role in a Resource element
例如:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/Test*"
}
}
另见
我正在使用 credentials 和 config 文件在 Windows 10 配置上设置 AWS cli。在 config 文件中,我定义了一个 config_profile 并在其中使用 source_profile 到 link 它以及在 credentials.
当我 运行 aws configure list --profile config_profile 我得到:
An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
您是否允许进行切换?查看 https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html。
When you create a role for cross-account access, you establish trust from the account that owns the role and the resources (trusting account) to the account that contains the users (trusted account). To do this, you specify the trusted account number as the Principal in the role's trust policy. That allows potentially any user in the trusted account to assume the role. To complete the configuration, the administrator of the trusted account must give specific groups or users in that account permission to switch to the role.
To grant a user permission to switch to a role, you create a new policy for the user or edit an existing policy to add the required elements.
A policy that grants a user permission to assume a role must include a statement with the Allow effect on the following:
The sts:AssumeRole action The Amazon Resource Name (ARN) of the role in a Resource element
例如:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/Test*"
}
}
另见