问题描述
AWS角色用于需要访问AWS服务的服务,例如S3等使用临时凭证。这些都是使用STS完成的。当来自一个帐户的用户/应用程序需要临时访问其他帐户拥有的资源时,这很有用。
但是,仅当使用Profile属性传递凭据时,STS才会发布临时凭据。无论如何,至少这就是AWS提供的代码所隐含的含义
import com.amazonaws.AmazonServiceException;
import com.amazonaws.SdkClientException;
import com.amazonaws.auth.AWsstaticCredentialsProvider;
import com.amazonaws.auth.BasicSessionCredentials;
import com.amazonaws.auth.profile.ProfileCredentialsProvider;
import com.amazonaws.services.s3.AmazonS3;
import com.amazonaws.services.s3.AmazonS3ClientBuilder;
import com.amazonaws.services.s3.model.ObjectListing;
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder;
import com.amazonaws.services.securitytoken.model.AssumeRoleRequest;
import com.amazonaws.services.securitytoken.model.AssumeRoleResult;
import com.amazonaws.services.securitytoken.model.Credentials;
public class MakingRequestsWithIAMTempCredentials {
public static void main(String[] args) {
String clientRegion = "*** Client region ***";
String roleARN = "*** ARN for role to be assumed ***";
String roleSessionName = "*** Role session name ***";
String bucketName = "*** Bucket name ***";
try {
// Creating the STS client is part of your trusted code. It has
// the security credentials you use to obtain temporary security credentials.
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(clientRegion)
.build();
// Obtain credentials for the IAM role. Note that you cannot assume the role of an AWS root account;
// Amazon S3 will deny access. You must use credentials for an IAM user or an IAM role.
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName);
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
// Create a BasicSessionCredentials object that contains the credentials you just retrieved.
BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
sessionCredentials.getAccessKeyId(),sessionCredentials.getSecretAccessKey(),sessionCredentials.getSessionToken());
// Provide temporary security credentials so that the Amazon S3 client
// can send authenticated requests to Amazon S3. You create the client
// using the sessionCredentials object.
AmazonS3 s3Client = AmazonS3ClientBuilder.standard()
.withCredentials(new AWsstaticCredentialsProvider(awsCredentials))
.withRegion(clientRegion)
.build();
// Verify that assuming the role worked and the permissions are set correctly
// by getting a set of object keys from the bucket.
ObjectListing objects = s3Client.listObjects(bucketName);
System.out.println("No. of Objects: " + objects.getobjectSummaries().size());
}
catch(AmazonServiceException e) {
// The call was transmitted successfully,but Amazon S3 Couldn't process
// it,so it returned an error response.
e.printstacktrace();
}
catch(SdkClientException e) {
// Amazon S3 Couldn't be contacted for a response,or the client
// Couldn't parse the response from Amazon S3.
e.printstacktrace();
}
}
}
以上代码仅在不提供某些凭据的情况下起作用。所以我的问题是,当我仅使用访问/秘密密钥时,角色在这里有什么用?
解决方法
您刚才提到的凭据是临时的,这正是建议使用IAM角色的众多原因之一。
角色可以应用于AWS服务以及资源,例如,EC2实例可以具有与AWS关联的角色,这些角色会自动轮流这些服务。另外,您可以使用STS承担角色,可以从IAM用户,角色或federated user承担角色。
您应尽量避免使用IAM用户,这有一些用例,例如已签名的URL(您希望它持续几个小时以上)以及在本地位置。如果必须使用IAM密钥,则应确保经常旋转密钥。
有关更多信息,请查看IAM Identities (users,groups,and roles)和Security best practices in IAM页面。