我创建了一个假定的角色,可以访问其他帐户的dynamoDB,并且我使用AWS STS获得了假设角色凭证。
var sts = new AWS.STS({apiVersion: '2011-06-15', region:'us-east-1', endpoint: 'https://sts.amazonaws.com'});
console.log("Before calling the assume role");
sts.assumeRole({
DurationSeconds: 3600,
RoleArn: 'arn:aws:iam::123456789012:role/crossAccount',
RoleSessionName: 'awssdk'
}, function(err, data) {
if (err) {
// an error occurred
console.log('Cannot assume role');
console.log(err, err.stack);
} else {
// successful response
console.log('Role assumed');
// Query function
var dynamodb = new AWS.DynamoDB({apiVersion: '2012-08-10', credentials: data, region: 'eu-west-1'});
console.log("dynamo db " + JSON.stringify(dynamodb));
var params = {
Key: {
"Tid": {
S: "123"
},
},
TableName: "MYTable"
};
dynamodb.getItem(params, function(err, data) {
if (err) { console.log(err, err.stack); console.log("failed"); }// an error occurred
else { console.log(data); console.log("success"); } // successful response
});
以下是确切的错误:
{ CredentialsError: Missing credentials in config at credError (/var/task/node_modules/aws-sdk/lib/config.js:317:40) at getStaticCredentials (/var/task/node_modules/aws-sdk/lib/config.js:338:15) at Config.getCredentials
谢谢
我认为你错过了错误的客户端配置。尝试以下方法;
蟒蛇
# Create IAM client
sts_default_provider_chain = boto3.client('sts')
print('Default Provider Identity: : ' + sts_default_provider_chain.get_caller_identity()['Arn'])
role_to_assume_arn='arn:aws:iam::123456789012:role/roleName'
role_session_name='test_session'
response=sts_default_provider_chain.assume_role(
RoleArn=role_to_assume_arn,
RoleSessionName=role_session_name
)
creds=response['Credentials']
sts_assumed_role = boto3.client('sts',
aws_access_key_id=creds['AccessKeyId'],
aws_secret_access_key=creds['SecretAccessKey'],
aws_session_token=creds['SessionToken'],
)
print('AssumedRole Identity: ' + sts_assumed_role.get_caller_identity()['Arn'])
节点
const getSTS = async () => {
const sts = new AWS.STS({ region: process.env.REGION });
const params = {
RoleArn: 'arn:aws:iam::1234567890:role/someRole',
RoleSessionName: 'CrossAccountCredentials',
ExternalId: '1234567-1234-1234-1234-123456789012',
DurationSeconds: 3600,
};
const assumeRoleStep1 = await sts.assumeRole(params).promise();
console.log('Changed Credentials');
const accessparams = {
accessKeyId: assumeRoleStep1.Credentials.AccessKeyId,
secretAccessKey: assumeRoleStep1.Credentials.SecretAccessKey,
sessionToken: assumeRoleStep1.Credentials.SessionToken,
};
}
AWS.Credentials正在帮助解决getStaticCredentials。此外,如果您拥有这些资源的权限,现在您也可以使用此凭据访问其他资源。这也有助于您仅将凭据用于您需要从其他aws帐户访问的资源。您无需全局设置凭据。
var sts = new AWS.STS({apiVersion: '2011-06-15', region:'us-east-1', endpoint: 'https://sts.amazonaws.com'});
console.log("Before calling the assume role");
sts.assumeRole({
DurationSeconds: 3600,
RoleArn: 'arn:aws:iam::123456789012:role/crossAccount',
RoleSessionName: 'awssdk'
}, function(err, data) {
if (err) {
// an error occurred
console.log('Cannot assume role');
console.log(err, err.stack);
} else {
// successful response
console.log('Role assumed');
// resolving static credential
var creds = new AWS.Credentials({
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken
});
// Query function
var dynamodb = new AWS.DynamoDB({apiVersion: configuration.API_VERSION, credentials: creds, region: configuration.REGION});
console.log("dynamo db " + JSON.stringify(dynamodb));
var params = {
Key: {
"Tid": {
S: "123"
},
},
TableName: "MYTable"
};
dynamodb.getItem(params, function(err, data) {
if (err) { console.log(err, err.stack); console.log("failed"); }// an error occurred
else { console.log(data); console.log("success"); } // successful response
});
}