代码之家  ›  专栏  ›  技术社区  ›  Ajay Misra

无法通过lambda函数担任角色-Python

boto3 aws-lambda amazon-web-services python
  •  3
  • Ajay Misra  · 技术社区  · 7 年前

    嗨,我从昨天开始就有这个奇怪的问题。我有一个python模块web\u令牌。py当我尝试在pycharm上手动运行它并打印request\u url时,它工作完全正常,并输出请求的url。但是当我压缩我的web_令牌时。py和fetch_帐户。py一起上传到lambda函数,它给了我以下错误-

    来自的代码段 

    import boto3

import web_token


def get_account(event, context):
    client = boto3.client('dynamodb')
    NameID = "test@orgz.com"
    ManagerEmail = "test1@orgaz.com"
    response = client.scan(
        TableName='Sandbox-Users',
        ScanFilter={
            'NameID': {
                'AttributeValueList': [
                    {
                        'S': NameID,
                    },
                ],
                'ComparisonOperator': 'EQ'
            }
        }
    )
    return web_token.request_url


    import httplib
import urllib, json
import boto3

client = boto3.client('sts')
assumed_role_object = client.assume_role(
    RoleArn="arn:aws:iam::4540XXXXXXXX:role/AMPSandboxRole",
    RoleSessionName="AssumeRoleSession"
)

# Step 3: Format resulting temporary credentials into JSON
json_string_with_temp_credentials = '{'
json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.get("Credentials").get("AccessKeyId") + '",'
json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.get("Credentials").get("SecretAccessKey") + '",'
json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.get("Credentials").get("SessionToken") + '"'
json_string_with_temp_credentials += '}'

# Step 4. Make request to AWS federation endpoint to get sign-in token. Construct the parameter string with
# the sign-in action request, a 12-hour session duration, and the JSON document with temporary credentials
# as parameters.
request_parameters = "?Action=getSigninToken"
request_parameters += "&SessionDuration=43200"
request_parameters += "&Session=" + urllib.quote_plus(json_string_with_temp_credentials)
request_url = "/federation" + request_parameters

conn = httplib.HTTPSConnection("signin.aws.amazon.com")
conn.request("GET", request_url)
r = conn.getresponse()
# Returns a JSON document with a single element named SigninToken.
signin_token = json.loads(r.read())

request_parameters = "?Action=login"
request_parameters += "&Issuer=sandbox.com"
request_parameters += "&Destination=" + urllib.quote_plus("https://console.aws.amazon.com/")
request_parameters += "&SigninToken=" + signin_token["SigninToken"]
request_url = "https://signin.aws.amazon.com/federation" + request_parameters

    更新: 我有两个策略附加到sandbox-amp\u sandbox-dev角色- 

        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sqs:SendMessage",
                "sqs:SendMessageBatch"
            ],
            "Resource": "arn:aws:sqs:*:131703196249:org-logging-prod",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DescribeInstances",
                "logs:CreateLogGroup",
                "logs:CreateLogStream",
                "logs:PutLogEvents"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Effect": "Allow",
            "Action": "s3:*",
            "Resource": [
                "arn:aws:s3:::em-log-intake-us-east-1-prod/*",
                "arn:aws:s3:::em-log-intake-us-west-2-prod/*"
            ]
        }
    ]
}

    sandbox-amp_sandbox-policy-dev[在5398XXXXXXX中] 

        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Action": "dynamodb:*",
            "Resource": "arn:aws:dynamodb:*:*:*"
        }
    ]
}

    更新2.0 以上保单来自我的账号5398XXXXXXX。我在4540XXXXXXXX账户AMPSandboxRole中有以下角色,在此角色下我有以下政策

    假设角色[在4540XXXXXXXX中] 

        {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Resource": "arn:aws:iam::*:role/AMPSandboxRole",
            "Action": "sts:AssumeRole"
        }
    ]
}


    {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "organizations:Describe*",
                "organizations:List*",
                "organizations:CreateAccount",
                "organizations:MoveAccount"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:MoveAccount"
            ],
            "Resource": "arn:aws:organizations::454084028794:root/o-eyec2h6qr0/r-ekzh"
        },
        {
            "Effect": "Allow",
            "Action": [
                "organizations:*"
            ],
            "Resource": "arn:aws:organizations::45xxxxxxxxxx:ou/o-eyec2h6qr0/ou-ekzh-x2xcsupl"
        }
    ]
}

    更新3.0 45xxxxxxxxx中的信任关系 

     {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::53xxxxxxxxxx:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
    4 回复  |  直到 7 年前
        1
  •  1
  •   John Rotenstein    7 年前

    错误显示:

    用户:arn:aws:sts::5398XXXXXXX:假定角色/sandbox-amp\u sandbox-dev/sandbox-dev-amp\u sandbox无权执行:sts:AssumeRole on resource:arn:aws:iam::4540xxxxxxx:role/ampandbox

    dynamodb:* . 它还需要访问权限 AssumeRole . 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermitDynamoDB",
      "Action": "dynamodb:*",
      "Effect": "Allow",
      "Resource": "*"
    },
    {
      "Sid": "PermitAssumeRole",
      "Action": [
        "sts:AssumeRole"
      ],
      "Effect": "Allow",
      "Resource": "arn:aws:iam::4540XXXXXXXX:role/AMPSandboxRole"
    }
  ]
}
        2
  •  1
  •   Dattatray    6 年前

    您需要编辑信任关系并添加可信任的角色名称。 下面是一个例子- 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<<Account-ID>>:role/<Role_Name_to_be_trusted>",
        "Service": "lambda.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    这里有一个有用的链接- https://github.com/serverless/serverless/issues/3040

        3
  •  0
  •   Ajay Misra    6 年前

    我终于能够与AWS团队的一些人算出这个账户。因此,无论何时从一个帐户到另一个帐户承担角色,我们都需要明确提供我们承担角色的帐户的访问密钥和密钥。看起来应该是这样的- 

    sts_connection = boto3.client('sts',
                                  aws_access_key_id="",
                                  aws_secret_access_key="")

        4
  •  0
  •   BMW    6 年前

    我认为您忘记了信托关系政策文件中的主要条目: 

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermitAssumeRole",
      "Action": [
        "sts:AssumeRole"
      ],
       "Principal": {
        "Service": [
          "dynamodb.amazonaws.com",
          "lambda.amazonaws.com"
        ]
      },
      "Effect": "Allow",
      "Resource": "arn:aws:iam::4540XXXXXXXX:role/AMPSandboxRole"
    }
  ]
}

    信任策略 文档中的元素。

    元素您希望担任角色的AWS资源

    推荐文章
    hallibut  ·  Lambda功能不工作的SST热重新加载
    3 月前
    Tim  ·  在java中,有没有更快的方法将字节数组写入文件?
    4 月前
    Tom McLean  ·  如何使用证书管理器制作的证书在AWS上创建到mongodb实例的TLS/SSL连接?健康检查失败
    4 月前
    Nuñito Calzada  ·  AWS SDK 1.12.780 Java版的凭据
    5 月前
    Sampgun  ·  CDN调用与lambda调用的巨大差异
    6 月前
    Mario Mateaș  ·  无法从Elastic Beanstalk的EC2实例访问外部MongoDB Atlas数据库
    6 月前
    Tiago  ·  如何允许从一个安全组到另一个组的所有流量?
    9 月前
    Ercan Koc  ·  使用EKS和RDS Aurora在My VPC中努力切换到IPv6
    9 月前
    Andrew  ·  CloudWatch错误:规则JobFailureRule应在堆栈范围内创建,但找不到堆栈
    9 月前
    explorer  ·  AWS SageMaker项目模板创建失败
    9 月前
    关于  
    代码之家 - 一站式码农服务社区
    沪ICP备11025650号