文档冲突
documentation here ,与 AssumeRole 相关,似乎在一个连续的 block 中自相矛盾:
You must call this API using existing IAM user credentials. For more information, see Creating a Role to Delegate Permissions to an IAM User and Configuring MFA-Protected API Access.
This is an unsigned call, meaning that the app does not need to have access to any AWS security credentials in order to make the call.
对矛盾进行粗体强调。
代码示例
code sample provided here当然似乎需要凭据:
AmazonSecurityTokenServiceClient securityTokenServiceClient = new AmazonSecurityTokenServiceClient(
Config.AccessKey,
secretKeyAsString,
securityTokenServiceConfig);
…
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest
{
DurationSeconds = sessionDurationSec,
RoleArn = roleArn,
RoleSessionName = awsUsername,
ExternalId = groupSid
};
…
assumeRoleResponse = securityTokenServiceClient.AssumeRole(assumeRoleRequest);
结论
哪个是真的?代码示例中的请求真的是多余的吗?
谢谢!
最佳答案
AssumeRole API 调用需要现有 AWS 凭证。
为了承担 IAM 角色,必须使用一组现有凭证,以便 AWS 知道谁承担该角色。这样 AWS 就可以验证承担方是否有权承担该角色。
在文档中:
This is an unsigned call, meaning that the app does not need to have access to any AWS security credentials in order to make the call.
这似乎是不正确的信息。
关于amazon-web-services - AWS STS AssumeRole : Are IAM user credentials needed, 与否?,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/38664381/