在这里,我使用 AWS 安全令牌服务通过 Spring MVC 和 Java 应用程序创建临时安全凭证。 在创建临时安全凭证时,我遇到了异常。
例外:
Exception in thread "main" com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: Roles may not be assumed by root accounts. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 205e48a6-263e-430f-9545-4991426e36cf; Proxy: null)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387)
我的Java代码:
String clientRegion = "us-east-1";
String roleARN = "arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>";
AWSCredentials credentials = new BasicAWSCredentials("accessKey",
"secretKey");
AWSCredentialsProvider credentialsProvider = new AWSStaticCredentialsProvider(credentials);
AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withDurationSeconds(3600).withRoleSessionName("TEST");
AWSSecurityTokenService securityTokenService = AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(clientRegion).withCredentials(credentialsProvider).build();
AssumeRoleResult result = securityTokenService.assumeRole(assumeRequest);
System.out.println(result);
您收到的异常表明您用来代入 roleARN 参数指定的 IAM 角色的 AWS 账户是根账户,并且根账户不允许代入角色。要使用 AWS Security Token Service (STS) 在 Java 中创建临时安全凭证,您可以按如下方式修改代码:
String clientRegion = "us-east-1";
String roleARN = "arn:aws:iam::<ACCOUNT-HYPHENS>:role/<ROLE-NAME>";
AWSCredentialsProvider credentialsProvider = new DefaultAWSCredentialsProviderChain();
AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withDurationSeconds(3600).withRoleSessionName("TEST");
AWSSecurityTokenService securityTokenService = AWSSecurityTokenServiceClientBuilder.standard()
.withRegion(clientRegion).withCredentials(credentialsProvider).build();
AssumeRoleResult result = securityTokenService.assumeRole(assumeRequest);
Credentials temporaryCredentials = result.getCredentials();
// Use temporaryCredentials to perform AWS operations
此代码使用 DefaultAWSCredentialsProviderChain 获取进行 STS 调用所需的 AWS 凭证。该提供商链在各种位置搜索 AWS 凭证,例如环境变量、系统属性和 AWS 凭证文件。
一旦获得临时凭证,它们就可以用于执行 AWS 操作。您可以使用临时凭证创建一个新的 BasicAWSCredentials 对象,并将其传递给执行 AWS 操作的客户端对象。