我試圖在我的PHP程序中使用AWS sts調用AssumeRole函數,因爲我想創建臨時憑證以允許用戶爲AWS存儲桶創建對象。AWS AssumeRole授權不起作用
下面是我調用PHP的fumction:
$sts = StsClient::factory(array(
'key' => 'XXXXXXXXXXXXXX',
'secret' => 'XXXXXXXXXXXXXXXX',
'token.ttd' => $timetodie
));
$bucket = "mybucket";
$result1 = $sts->assumeRole(array(
'RoleArn' => 'arn:aws:iam::123456789012:role/createPic',
'RoleSessionName' => 'mytest',
'Policy' => json_encode(array(
'Statement' => array(
array(
'Sid' => 'Deny attributes',
'Action' => array(
's3:deleteObject',
's3:deleteBucket'
),
'Effect' => 'Deny',
'Resource' => array(
"arn:aws:s3:::{$bucket}",
"arn:aws:s3:::{$bucket}/AWSLogs/*"
),
'Principal' => array(
'AWS' => "*"
)
)
)
)
),
'DurationSeconds' => 3600,
// 'ExternalId' => 'string',
));
$credentials = $result1->get('Credentials');
不過,我不斷收到以下錯誤:
用戶阿爾恩:AWS:IAM :: 123456789012:用戶/ TVMUser無權執行:STS:AssumeRole資源:阿爾恩:AWS:IAM :: 123456789012:角色/ createPic
下面是我的AWS控制檯上我的權限之TVMUser政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::791758789361:user/TVMUser"
},
{
"Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::791758789361:role/createPic"
}
]
}
下面是我對角色createPic作用的政策:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:Get*",
"s3:List*",
"s3:Put*",
],
"Effect": "Allow",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789012:role/createPic"
}
]
}
難道現在的人什麼我在AWS政策聲明和在AWS上設置的思念,所以我沒有得到錯誤:用戶阿爾恩:AWS :iam :: 123456789012:user/TVMUser未被授權執行:sts:資源上的AssumeRole:arn:aws:iam :: 123456789012:role/createPic?
我錯過了什麼嗎?
我認爲在許可的資源assumeRole 791758789361是一個錯字,你的意思是123456789012。 –