如何使用IAM角色来使用临时凭据访问资源?凭据、如何使用、角色、资源
我使用AWS IAM角色,让一个实例来访问使用临时API证书某些资源(访问密钥,密钥和安全令牌)。
当我测试使用这个Ruby脚本临时凭证,它运行没有任何问题:
需要'rubygems的'
要求AWS-SDK
AWS.config(
:access_key_id => 我的访问键GOES HERE,
:secret_access_key => 我的秘密钥匙GOES HERE,
:session_token => 我的TOKEN GOES HERE)
S3 = AWS :: S3.new()
MYFILE = s3.buckets ['我的-配置']。对象[file.sh]
File.open方法(/ tmp目录/ file.sh,W)做| F |
f.write(myfile.read)
结束
但是,使用命令行运行时,CFN-描述-栈我得到一个错误:
出口AWS_CREDENTIAL_FILE = aws_credentials.cfg
CFN-描述,堆
CFN-描述-栈:拒绝:包含在请求安全令牌无效
和这里是我的aws_credentials.cfg:
AWSAccessKeyId = MY快捷键
AWSSecretKey =我的秘密密钥
AWSToken =MY TOKEN ==
那么,我在这里丢失?谢谢!
解决方案我不认为CLI工具支持的临时凭证。如果他们这么做,你应该能够在通过您的AWSToken作为命令行参数。但据文档,它只支持传入访问密钥ID和密钥作为参数。
-I,--access-key-id的值
指定值作为AWS访问标识使用。
-S,--secret键值
指定的值作为AWS密钥来使用。
I'm using AWS IAM roles that allows an instance to have access to certain resources using temporary API credentials (access key, secret key and security token).
When I test the temporary credentials using this ruby script, it runs without any problems :
require 'rubygems'
require 'aws-sdk'
AWS.config(
:access_key_id => "MY ACCESS KEY GOES HERE",
:secret_access_key => "MY SECRET KEY GOES HERE",
:session_token => "MY TOKEN GOES HERE")
s3 = AWS::S3.new()
myfile = s3.buckets['My-Config'].objects["file.sh"]
File.open("/tmp/file.sh", "w") do |f|
f.write(myfile.read)
end
But when using command line to run cfn-describe-stacks I get an error:
export AWS_CREDENTIAL_FILE=aws_credentials.cfg
cfn-describe-stacks
cfn-describe-stacks: Refused: The security token included in the request is invalid
and here is my aws_credentials.cfg :
AWSAccessKeyId=MY ACCESS KEY
AWSSecretKey=My SECRET KEY
AWSToken="MY TOKEN=="
So what am i missing here ? Thank you!
解决方案I don't think that the CLI tools support temporary credentials. If they did, you should be able to pass your "AWSToken" in as a command line parameter. But according to the documentation, it only supports passing in the access key id and secret key as parameters.
-I, --access-key-id VALUE
Specify VALUE as the AWS Access ID to use.
-S, --secret-key VALUE
Specify VALUE as the AWS Secret Key to use.
