使用Roles Anywhere访问S3
本节我们将在CLI中使用IAM Roles Anywhere来获取临时凭证,并访问S3
IAM Roles Anywhere credential helper
下载IAM Roles Anywhere credential helper:
curl https://rolesanywhere.amazonaws.com/releases/1.0.2/X86_64/Linux/aws_signing_helper --output aws_signing_helper
chmod +x aws_signing_helper
获取上一节创建的trust anchor的ARN:
获取上一节创建的profile的ARN:
获取上一节创建的Role的ARN:
它们分别如下:
arn:aws:rolesanywhere:us-east-1:145197526627:trust-anchor/4c079004-3191-4ed4-9cef-a62d3dd3a6d2
arn:aws:rolesanywhere:us-east-1:145197526627:profile/a8998516-f3a5-41bc-8a5e-592b3ced7583
arn:aws:iam::145197526627:role/ra-access-s3
执行以下命令通过IAM Roles Anywhere credential helper来获取临时AWS凭证:
./aws_signing_helper credential-process --certificate workload-a.iamra.test_cert.pem \
--private-key workload-a.iamra.test_private_u.pem \
--trust-anchor-arn <TRUST ANCHOR ARN VALUE> \
--profile-arn <PROFILE ARN VALUE> \
--role-arn <ROLE ARN VALUE> | jq
将上面的三个值替换,实际执行:
./aws_signing_helper credential-process --certificate workload-a.iamra.test_cert.pem \
--private-key workload-a.iamra.test_private_u.pem \
--trust-anchor-arn arn:aws:rolesanywhere:us-east-1:145197526627:trust-anchor/4c079004-3191-4ed4-9cef-a62d3dd3a6d2 \
--profile-arn arn:aws:rolesanywhere:us-east-1:145197526627:profile/a8998516-f3a5-41bc-8a5e-592b3ced7583 \
--role-arn arn:aws:iam::145197526627:role/ra-access-s3 | jq
输出:
重复执行几次,每次生成的凭证都不同,且有时间限制(1h):
CLI使用凭证
上面的命令返回了临时AWS凭证,接下来我们来配置AWS CLI来使用它。
编辑~/.aws/config文件,将以下行添加到文件中:
[profile workload-a]
credential_process = ./aws_signing_helper credential-process --certificate workload-a.iamra.test_cert.pem --private-key workload-a.iamra.test_private_u.pem --trust-anchor-arn $TA_ARN --profile-arn $RA_ARN --role-arn $IAM_ROLE_ARN
[profile workload-b]
credential_process = ./aws_signing_helper credential-process --certificate workload-b.iamra.test_cert.pem --private-key workload-b.iamra.test_private_u.pem --trust-anchor-arn $TA_ARN --profile-arn $RA_ARN --role-arn $IAM_ROLE_ARN
添加完成后的效果:
保存后,在命令行执行:
aws sts get-caller-identity --profile workload-a
可以看到当前assume的role:
执行S3命令,可以用这个role访问:
同样使用workload-b也能访问到S3:
