Assumir um perfil com o AWS STS usando um AWS SDK - AWS Identity and Access Management

Assumir um perfil com o AWS STS usando um AWS SDK

Os exemplos de código a seguir mostram como assumir um perfil com o AWS STS.

JavaScript
SDK para JavaScript V3
dica

Para saber mais sobre como configurar e executar esse exemplo, consulte o GitHub.

Crie o cliente.

import { STSClient } from "@aws-sdk/client-sts"; // Set the AWS Region. const REGION = "REGION"; //e.g. "us-east-1" // Create an Amazon STS service client object. const stsClient = new STSClient({ region: REGION }); export { stsClient };

Assuma um perfil do IAM.

// Import required AWS SDK clients and commands for Node.js import { stsClient } from "./libs/stsClient.js"; import { AssumeRoleCommand, GetCallerIdentityCommand, } from "@aws-sdk/client-sts"; // Set the parameters export const params = { RoleArn: "ARN_OF_ROLE_TO_ASSUME", //ARN_OF_ROLE_TO_ASSUME RoleSessionName: "session1", DurationSeconds: 900, }; export const run = async () => { try { //Assume Role const data = await stsClient.send(new AssumeRoleCommand(params)); return data; const rolecreds = { accessKeyId: data.Credentials.AccessKeyId, secretAccessKey: data.Credentials.SecretAccessKey, sessionToken: data.Credentials.SessionToken, }; //Get Amazon Resource Name (ARN) of current identity try { const stsParams = { credentials: rolecreds }; const stsClient = new STSClient(stsParams); const results = await stsClient.send( new GetCallerIdentityCommand(rolecreds) ); console.log("Success", results); } catch (err) { console.log(err, err.stack); } } catch (err) { console.log("Error", err); } }; run();
  • Para obter detalhes da API, consulte AssumeRole na Referência da API do AWS SDK for JavaScript.

SDK para JavaScript V2
dica

Para saber mais sobre como configurar e executar esse exemplo, consulte o GitHub.

// Load the AWS SDK for Node.js const AWS = require('aws-sdk'); // Set the region AWS.config.update({region: 'REGION'}); var roleToAssume = {RoleArn: 'arn:aws:iam::123456789012:role/RoleName', RoleSessionName: 'session1', DurationSeconds: 900,}; var roleCreds; // Create the STS service object var sts = new AWS.STS({apiVersion: '2011-06-15'}); //Assume Role sts.assumeRole(roleToAssume, function(err, data) { if (err) console.log(err, err.stack); else{ roleCreds = {accessKeyId: data.Credentials.AccessKeyId, secretAccessKey: data.Credentials.SecretAccessKey, sessionToken: data.Credentials.SessionToken}; stsGetCallerIdentity(roleCreds); } }); //Get Arn of current identity function stsGetCallerIdentity(creds) { var stsParams = {credentials: creds }; // Create STS service object var sts = new AWS.STS(stsParams); sts.getCallerIdentity({}, function(err, data) { if (err) { console.log(err, err.stack); } else { console.log(data.Arn); } }); }
  • Para obter detalhes da API, consulte AssumeRole na Referência da API do AWS SDK for JavaScript.

Python
SDK para Python (Boto3).
dica

Para saber mais sobre como configurar e executar esse exemplo, consulte o GitHub.

Assuma um perfil do IAM que exija um token de MFA e use credenciais temporárias para listar buckets do Amazon S3 para a conta.

def list_buckets_from_assumed_role_with_mfa( assume_role_arn, session_name, mfa_serial_number, mfa_totp, sts_client): """ Assumes a role from another account and uses the temporary credentials from that role to list the Amazon S3 buckets that are owned by the other account. Requires an MFA device serial number and token. The assumed role must grant permission to list the buckets in the other account. :param assume_role_arn: The Amazon Resource Name (ARN) of the role that grants access to list the other account's buckets. :param session_name: The name of the STS session. :param mfa_serial_number: The serial number of the MFA device. For a virtual MFA device, this is an ARN. :param mfa_totp: A time-based, one-time password issued by the MFA device. :param sts_client: A Boto3 STS instance that has permission to assume the role. """ response = sts_client.assume_role( RoleArn=assume_role_arn, RoleSessionName=session_name, SerialNumber=mfa_serial_number, TokenCode=mfa_totp) temp_credentials = response['Credentials'] print(f"Assumed role {assume_role_arn} and got temporary credentials.") s3_resource = boto3.resource( 's3', aws_access_key_id=temp_credentials['AccessKeyId'], aws_secret_access_key=temp_credentials['SecretAccessKey'], aws_session_token=temp_credentials['SessionToken']) print(f"Listing buckets for the assumed role's account:") for bucket in s3_resource.buckets.all(): print(bucket.name)
  • Para obter detalhes da API, consulte AssumeRole na Referência da API do AWS SDK for Python (Boto3).

Ruby
SDK for Ruby
dica

Para saber mais sobre como configurar e executar esse exemplo, consulte o GitHub.

# Creates an AWS Security Token Service (AWS STS) client with specified credentials. # This is separated into a factory function so that it can be mocked for unit testing. # # @param key_id [String] The ID of the access key used by the STS client. # @param key_secret [String] The secret part of the access key used by the STS client. def create_sts_client(key_id, key_secret) Aws::STS::Client.new(access_key_id: key_id, secret_access_key: key_secret) end # Gets temporary credentials that can be used to assume a role. # # @param role_arn [String] The ARN of the role that is assumed when these credentials # are used. # @param sts_client [AWS::STS::Client] An AWS STS client. # @return [Aws::AssumeRoleCredentials] The credentials that can be used to assume the role. def assume_role(role_arn, sts_client) credentials = Aws::AssumeRoleCredentials.new( client: sts_client, role_arn: role_arn, role_session_name: "create-use-assume-role-scenario" ) puts("Assumed role '#{role_arn}', got temporary credentials.") credentials end
  • Para obter detalhes da API, consulte AssumeRole na Referência da API do AWS SDK for Ruby.

Para obter uma lista completa dos Guias do desenvolvedor do SDK da AWS e exemplos de código, consulte Usar o IAM com um AWS SDK. Este tópico também inclui informações sobre como começar e detalhes sobre versões anteriores do SDK.