範本程式碼:使用多重要素驗證請求憑證 - AWS Identity and Access Management

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

範本程式碼:使用多重要素驗證請求憑證

以下範例顯示如何呼叫 GetSessionTokenAssumeRole 操作,並傳遞 MFA 驗證參數。呼叫 GetSessionToken 不需要許可,但您必須擁有一個可讓您呼叫 AssumeRole 的政策。傳回的憑證隨後用於列出帳戶中的所有 S3 儲存貯體。

GetSessionToken 使用 MFA 驗證進行呼叫

以下範例說明如何呼叫 GetSessionToken 並傳遞 MFA 身分驗證資訊。然後,由 GetSessionToken 操作傳回的臨時安全憑證用於列出帳戶中的所有 S3 儲存貯體。

連接到執行此程式碼的使用者的政策 (或群組中的使用者),會針對傳回的臨時憑證提供許可。對於此範本程式碼,政策必須授予使用者許可來請求 Amazon S3 ListBuckets 操作。

下列程式碼範例會示範如何取得工作階段 Token, AWS STS 並使用它來執行需要 MFA 權杖的服務動作。

CLI
AWS CLI

為 IAM 身分取得一組短期憑證

下列 get-session-token 命令會為進行呼叫的 IAM 身分擷取一組短期憑證。產生的憑證可用於政策要求多重要素驗證 (MFA) 的請求。憑證會在產生後的 15 分鐘過期。

aws sts get-session-token \ --duration-seconds 900 \ --serial-number "YourMFADeviceSerialNumber" \ --token-code 123456

輸出:

{ "Credentials": { "AccessKeyId": "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE", "Expiration": "2020-05-19T18:06:10+00:00" } }

如需詳細資訊,請參閱《AWS IAM 使用者指南》中的請求臨時安全憑證

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考GetSessionToken中的。

Python
適用於 Python (Boto3) 的 SDK
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

透過傳遞 MFA 字符取得工作階段字符,並使用它列出該帳戶的 Amazon S3 儲存貯體。

def list_buckets_with_session_token_with_mfa(mfa_serial_number, mfa_totp, sts_client): """ Gets a session token with MFA credentials and uses the temporary session credentials to list Amazon S3 buckets. Requires an MFA device serial number and token. :param mfa_serial_number: The serial number of the MFA device. For a virtual MFA device, this is an Amazon Resource Name (ARN). :param mfa_totp: A time-based, one-time password issued by the MFA device. :param sts_client: A Boto3 STS instance that has permission to assume the role. """ if mfa_serial_number is not None: response = sts_client.get_session_token( SerialNumber=mfa_serial_number, TokenCode=mfa_totp ) else: response = sts_client.get_session_token() temp_credentials = response["Credentials"] s3_resource = boto3.resource( "s3", aws_access_key_id=temp_credentials["AccessKeyId"], aws_secret_access_key=temp_credentials["SecretAccessKey"], aws_session_token=temp_credentials["SessionToken"], ) print(f"Buckets for the account:") for bucket in s3_resource.buckets.all(): print(bucket.name)
  • 如需 API 的詳細資訊,請參閱AWS 開發套件GetSessionToken中的 Python (博托 3) API 參考。

AssumeRole 使用 MFA 驗證進行呼叫

以下範例說明如何呼叫 AssumeRole 並傳遞 MFA 身分驗證資訊。然後,由 AssumeRole 傳回的臨時安全憑證用於列出帳戶中的所有 Amazon S3 儲存貯體。

如需有關此案例的詳細資訊,請參閱 使用案例:跨帳戶委派的 MFA 防護

下列程式碼範例顯示如何假設角色與 AWS STS.

.NET
AWS SDK for .NET
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

using System; using System.Threading.Tasks; using Amazon; using Amazon.SecurityToken; using Amazon.SecurityToken.Model; namespace AssumeRoleExample { class AssumeRole { /// <summary> /// This example shows how to use the AWS Security Token /// Service (AWS STS) to assume an IAM role. /// /// NOTE: It is important that the role that will be assumed has a /// trust relationship with the account that will assume the role. /// /// Before you run the example, you need to create the role you want to /// assume and have it trust the IAM account that will assume that role. /// /// See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html /// for help in working with roles. /// </summary> private static readonly RegionEndpoint REGION = RegionEndpoint.USWest2; static async Task Main() { // Create the SecurityToken client and then display the identity of the // default user. var roleArnToAssume = "arn:aws:iam::123456789012:role/testAssumeRole"; var client = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient(REGION); // Get and display the information about the identity of the default user. var callerIdRequest = new GetCallerIdentityRequest(); var caller = await client.GetCallerIdentityAsync(callerIdRequest); Console.WriteLine($"Original Caller: {caller.Arn}"); // Create the request to use with the AssumeRoleAsync call. var assumeRoleReq = new AssumeRoleRequest() { DurationSeconds = 1600, RoleSessionName = "Session1", RoleArn = roleArnToAssume }; var assumeRoleRes = await client.AssumeRoleAsync(assumeRoleReq); // Now create a new client based on the credentials of the caller assuming the role. var client2 = new AmazonSecurityTokenServiceClient(credentials: assumeRoleRes.Credentials); // Get and display information about the caller that has assumed the defined role. var caller2 = await client2.GetCallerIdentityAsync(callerIdRequest); Console.WriteLine($"AssumedRole Caller: {caller2.Arn}"); } } }
  • 如需 API 詳細資訊,請參閱 AWS SDK for .NET API 參考AssumeRole中的。

Bash
AWS CLI 使用 Bash 腳本
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

############################################################################### # function iecho # # This function enables the script to display the specified text only if # the global variable $VERBOSE is set to true. ############################################################################### function iecho() { if [[ $VERBOSE == true ]]; then echo "$@" fi } ############################################################################### # function errecho # # This function outputs everything sent to it to STDERR (standard error output). ############################################################################### function errecho() { printf "%s\n" "$*" 1>&2 } ############################################################################### # function sts_assume_role # # This function assumes a role in the AWS account and returns the temporary # credentials. # # Parameters: # -n role_session_name -- The name of the session. # -r role_arn -- The ARN of the role to assume. # # Returns: # [access_key_id, secret_access_key, session_token] # And: # 0 - If successful. # 1 - If an error occurred. ############################################################################### function sts_assume_role() { local role_session_name role_arn response local option OPTARG # Required to use getopts command in a function. # bashsupport disable=BP5008 function usage() { echo "function sts_assume_role" echo "Assumes a role in the AWS account and returns the temporary credentials:" echo " -n role_session_name -- The name of the session." echo " -r role_arn -- The ARN of the role to assume." echo "" } while getopts n:r:h option; do case "${option}" in n) role_session_name=${OPTARG} ;; r) role_arn=${OPTARG} ;; h) usage return 0 ;; \?) ech o"Invalid parameter" usage return 1 ;; esac done response=$(aws sts assume-role \ --role-session-name "$role_session_name" \ --role-arn "$role_arn" \ --output text \ --query "Credentials.[AccessKeyId, SecretAccessKey, SessionToken]") local error_code=${?} if [[ $error_code -ne 0 ]]; then aws_cli_error_log $error_code errecho "ERROR: AWS reports create-role operation failed.\n$response" return 1 fi echo "$response" return 0 }
  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考AssumeRole中的。

C++
適用於 C++ 的 SDK
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

bool AwsDoc::STS::assumeRole(const Aws::String &roleArn, const Aws::String &roleSessionName, const Aws::String &externalId, Aws::Auth::AWSCredentials &credentials, const Aws::Client::ClientConfiguration &clientConfig) { Aws::STS::STSClient sts(clientConfig); Aws::STS::Model::AssumeRoleRequest sts_req; sts_req.SetRoleArn(roleArn); sts_req.SetRoleSessionName(roleSessionName); sts_req.SetExternalId(externalId); const Aws::STS::Model::AssumeRoleOutcome outcome = sts.AssumeRole(sts_req); if (!outcome.IsSuccess()) { std::cerr << "Error assuming IAM role. " << outcome.GetError().GetMessage() << std::endl; } else { std::cout << "Credentials successfully retrieved." << std::endl; const Aws::STS::Model::AssumeRoleResult result = outcome.GetResult(); const Aws::STS::Model::Credentials &temp_credentials = result.GetCredentials(); // Store temporary credentials in return argument. // Note: The credentials object returned by assumeRole differs // from the AWSCredentials object used in most situations. credentials.SetAWSAccessKeyId(temp_credentials.GetAccessKeyId()); credentials.SetAWSSecretKey(temp_credentials.GetSecretAccessKey()); credentials.SetSessionToken(temp_credentials.GetSessionToken()); } return outcome.IsSuccess(); }
  • 如需 API 詳細資訊,請參閱 AWS SDK for C++ API 參考AssumeRole中的。

CLI
AWS CLI

擔任角色

下列 assume-role 命令會為 IAM 角色 s3-access-example 擷取一組短期憑證。

aws sts assume-role \ --role-arn arn:aws:iam::123456789012:role/xaccounts3access \ --role-session-name s3-access-example

輸出:

{ "AssumedRoleUser": { "AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example", "Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example" }, "Credentials": { "SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI", "SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=", "Expiration": "2016-03-15T00:05:07Z", "AccessKeyId": "ASIAJEXAMPLEXEG2JICEA" } }

該命令的輸出包含存取金鑰、私密金鑰以及可用來向 AWS 進行驗證的工作階段字符。

對於 AWS CLI 使用,您可以設置與角色關聯的具名配置文件。當您使用設定檔時, AWS CLI 會為您呼叫 assume-role 並管理認證。如需詳細資訊,請參閱 CLI 使用者指南中的 AWS CLI 中的AWS 使用 IAM 角色

  • 如需 API 詳細資訊,請參閱AWS CLI 命令參考AssumeRole中的。

Java
適用於 Java 2.x 的 SDK
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

import software.amazon.awssdk.regions.Region; import software.amazon.awssdk.services.sts.StsClient; import software.amazon.awssdk.services.sts.model.AssumeRoleRequest; import software.amazon.awssdk.services.sts.model.StsException; import software.amazon.awssdk.services.sts.model.AssumeRoleResponse; import software.amazon.awssdk.services.sts.model.Credentials; import java.time.Instant; import java.time.ZoneId; import java.time.format.DateTimeFormatter; import java.time.format.FormatStyle; import java.util.Locale; /** * To make this code example work, create a Role that you want to assume. * Then define a Trust Relationship in the AWS Console. You can use this as an * example: * * { * "Version": "2012-10-17", * "Statement": [ * { * "Effect": "Allow", * "Principal": { * "AWS": "<Specify the ARN of your IAM user you are using in this code * example>" * }, * "Action": "sts:AssumeRole" * } * ] * } * * For more information, see "Editing the Trust Relationship for an Existing * Role" in the AWS Directory Service guide. * * Also, set up your development environment, including your credentials. * * For information, see this documentation topic: * * https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html */ public class AssumeRole { public static void main(String[] args) { final String usage = """ Usage: <roleArn> <roleSessionName>\s Where: roleArn - The Amazon Resource Name (ARN) of the role to assume (for example, rn:aws:iam::000008047983:role/s3role).\s roleSessionName - An identifier for the assumed role session (for example, mysession).\s """; if (args.length != 2) { System.out.println(usage); System.exit(1); } String roleArn = args[0]; String roleSessionName = args[1]; Region region = Region.US_EAST_1; StsClient stsClient = StsClient.builder() .region(region) .build(); assumeGivenRole(stsClient, roleArn, roleSessionName); stsClient.close(); } public static void assumeGivenRole(StsClient stsClient, String roleArn, String roleSessionName) { try { AssumeRoleRequest roleRequest = AssumeRoleRequest.builder() .roleArn(roleArn) .roleSessionName(roleSessionName) .build(); AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest); Credentials myCreds = roleResponse.credentials(); // Display the time when the temp creds expire. Instant exTime = myCreds.expiration(); String tokenInfo = myCreds.sessionToken(); // Convert the Instant to readable date. DateTimeFormatter formatter = DateTimeFormatter.ofLocalizedDateTime(FormatStyle.SHORT) .withLocale(Locale.US) .withZone(ZoneId.systemDefault()); formatter.format(exTime); System.out.println("The token " + tokenInfo + " expires on " + exTime); } catch (StsException e) { System.err.println(e.getMessage()); System.exit(1); } } }
  • 如需 API 詳細資訊,請參閱 AWS SDK for Java 2.x API 參考AssumeRole中的。

JavaScript
適用於 JavaScript (v3) 的開發套件
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

建立用戶端。

import { STSClient } from "@aws-sdk/client-sts"; // Set the AWS Region. const REGION = "us-east-1"; // Create an AWS STS service client object. export const client = new STSClient({ region: REGION });

擔任 IAM 角色。

import { AssumeRoleCommand } from "@aws-sdk/client-sts"; import { client } from "../libs/client.js"; export const main = async () => { try { // Returns a set of temporary security credentials that you can use to // access Amazon Web Services resources that you might not normally // have access to. const command = new AssumeRoleCommand({ // The Amazon Resource Name (ARN) of the role to assume. RoleArn: "ROLE_ARN", // An identifier for the assumed role session. RoleSessionName: "session1", // The duration, in seconds, of the role session. The value specified // can range from 900 seconds (15 minutes) up to the maximum session // duration set for the role. DurationSeconds: 900, }); const response = await client.send(command); console.log(response); } catch (err) { console.error(err); } };
  • 如需 API 詳細資訊,請參閱 AWS SDK for JavaScript API 參考AssumeRole中的。

適用於 JavaScript (v2) 的開發套件
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

// Load the AWS SDK for Node.js const AWS = require("aws-sdk"); // Set the region AWS.config.update({ region: "REGION" }); var roleToAssume = { RoleArn: "arn:aws:iam::123456789012:role/RoleName", RoleSessionName: "session1", DurationSeconds: 900, }; var roleCreds; // Create the STS service object var sts = new AWS.STS({ apiVersion: "2011-06-15" }); //Assume Role sts.assumeRole(roleToAssume, function (err, data) { if (err) console.log(err, err.stack); else { roleCreds = { accessKeyId: data.Credentials.AccessKeyId, secretAccessKey: data.Credentials.SecretAccessKey, sessionToken: data.Credentials.SessionToken, }; stsGetCallerIdentity(roleCreds); } }); //Get Arn of current identity function stsGetCallerIdentity(creds) { var stsParams = { credentials: creds }; // Create STS service object var sts = new AWS.STS(stsParams); sts.getCallerIdentity({}, function (err, data) { if (err) { console.log(err, err.stack); } else { console.log(data.Arn); } }); }
  • 如需 API 詳細資訊,請參閱 AWS SDK for JavaScript API 參考AssumeRole中的。

Python
適用於 Python (Boto3) 的 SDK
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

擔任需要 MFA 字符的 IAM 角色,並使用暫時性憑證列出該帳戶的 Amazon S3 儲存貯體。

def list_buckets_from_assumed_role_with_mfa( assume_role_arn, session_name, mfa_serial_number, mfa_totp, sts_client ): """ Assumes a role from another account and uses the temporary credentials from that role to list the Amazon S3 buckets that are owned by the other account. Requires an MFA device serial number and token. The assumed role must grant permission to list the buckets in the other account. :param assume_role_arn: The Amazon Resource Name (ARN) of the role that grants access to list the other account's buckets. :param session_name: The name of the STS session. :param mfa_serial_number: The serial number of the MFA device. For a virtual MFA device, this is an ARN. :param mfa_totp: A time-based, one-time password issued by the MFA device. :param sts_client: A Boto3 STS instance that has permission to assume the role. """ response = sts_client.assume_role( RoleArn=assume_role_arn, RoleSessionName=session_name, SerialNumber=mfa_serial_number, TokenCode=mfa_totp, ) temp_credentials = response["Credentials"] print(f"Assumed role {assume_role_arn} and got temporary credentials.") s3_resource = boto3.resource( "s3", aws_access_key_id=temp_credentials["AccessKeyId"], aws_secret_access_key=temp_credentials["SecretAccessKey"], aws_session_token=temp_credentials["SessionToken"], ) print(f"Listing buckets for the assumed role's account:") for bucket in s3_resource.buckets.all(): print(bucket.name)
  • 如需 API 的詳細資訊,請參閱AWS 開發套件AssumeRole中的 Python (博托 3) API 參考。

Ruby
適用於 Ruby 的開發套件
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

# Creates an AWS Security Token Service (AWS STS) client with specified credentials. # This is separated into a factory function so that it can be mocked for unit testing. # # @param key_id [String] The ID of the access key used by the STS client. # @param key_secret [String] The secret part of the access key used by the STS client. def create_sts_client(key_id, key_secret) Aws::STS::Client.new(access_key_id: key_id, secret_access_key: key_secret) end # Gets temporary credentials that can be used to assume a role. # # @param role_arn [String] The ARN of the role that is assumed when these credentials # are used. # @param sts_client [AWS::STS::Client] An AWS STS client. # @return [Aws::AssumeRoleCredentials] The credentials that can be used to assume the role. def assume_role(role_arn, sts_client) credentials = Aws::AssumeRoleCredentials.new( client: sts_client, role_arn: role_arn, role_session_name: "create-use-assume-role-scenario" ) @logger.info("Assumed role '#{role_arn}', got temporary credentials.") credentials end
  • 如需 API 詳細資訊,請參閱 AWS SDK for Ruby API 參考AssumeRole中的。

Rust
適用於 Rust 的 SDK
注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

async fn assume_role(config: &SdkConfig, role_name: String, session_name: Option<String>) { let provider = aws_config::sts::AssumeRoleProvider::builder(role_name) .session_name(session_name.unwrap_or("rust_sdk_example_session".into())) .configure(config) .build() .await; let local_config = aws_config::from_env() .credentials_provider(provider) .load() .await; let client = Client::new(&local_config); let req = client.get_caller_identity(); let resp = req.send().await; match resp { Ok(e) => { println!("UserID : {}", e.user_id().unwrap_or_default()); println!("Account: {}", e.account().unwrap_or_default()); println!("Arn : {}", e.arn().unwrap_or_default()); } Err(e) => println!("{:?}", e), } }
  • 如需 API 的詳細資訊,請參閱 AWS SDK AssumeRole中的 Rust API 參考資料。

Swift
適用於 Swift 的 SDK
注意

這是適用於預覽版本 SDK 的發行前版本文件。內容可能變動。

注意

還有更多關於 GitHub。尋找完整範例,並了解如何在AWS 設定和執行程式碼範例儲存庫

public func assumeRole(role: IAMClientTypes.Role, sessionName: String) async throws -> STSClientTypes.Credentials { let input = AssumeRoleInput( roleArn: role.arn, roleSessionName: sessionName ) do { let output = try await stsClient.assumeRole(input: input) guard let credentials = output.credentials else { throw ServiceHandlerError.authError } return credentials } catch { throw error } }
  • 有關 API 的詳細信息,請參閱 AWS SDK AssumeRole中的斯威夫特 API 參考