在代碼中提供臨時憑據 - AWS SDK for Java 2.x

本文為英文版的機器翻譯版本,如內容有任何歧義或不一致之處,概以英文版為準。

在代碼中提供臨時憑據

如果預設認證鏈結或特定或自訂提供者或提供者鏈結不適用於您的應用程式,您可以直接在程式碼中提供臨時認證。這些登入資料可以是如上所述IAM 角色登入資料,或從 AWS Security Token Service (AWS STS) 擷取的臨時登入資料 如果您使用擷取臨時認證 AWS STS,請將它們提供給用 AWS 服務 戶端,如下列程式碼範例所示。

  1. 通過調用假設一個角色StsClient.assumeRole()

  2. 創建一個StaticCredentialsProvider對象並將其提供給對AwsSessionCredentials象。

  3. 使用設定服務用戶端產生器StaticCredentialsProvider並建置用戶端。

下列範例使用 AWS STS 針對 IAM 假定角色傳回的臨時登入資料建立 Amazon S3 服務用戶端。

    // The AWS IAM Identity Center identity (user) who executes this method does not have permission to list buckets.
    // The identity is configured in the [default] profile.
    public static void assumeRole(String roleArn, String roleSessionName) {
        // The IAM role represented by the 'roleArn' parameter can be assumed by identities in two different accounts
        // and the role permits the user to only list buckets.

        // The SDK's default credentials provider chain will find the single sign-on settings in the [default] profile.
        // The identity configured with the [default] profile needs permission to call AssumeRole on the STS service.
        try {
            Credentials tempRoleCredentials;
            try (StsClient stsClient = StsClient.create()) {
                AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
                        .roleArn(roleArn)
                        .roleSessionName(roleSessionName)
                        .build();

                AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
                tempRoleCredentials = roleResponse.credentials();
            }
            // Use the following temporary credential items for the S3 client.
            String key = tempRoleCredentials.accessKeyId();
            String secKey = tempRoleCredentials.secretAccessKey();
            String secToken = tempRoleCredentials.sessionToken();

            // List all buckets in the account associated with the assumed role
            // by using the temporary credentials retrieved by invoking stsClient.assumeRole().
            StaticCredentialsProvider staticCredentialsProvider = StaticCredentialsProvider.create(
                    AwsSessionCredentials.create(key, secKey, secToken));
            try (S3Client s3 = S3Client.builder()
                    .credentialsProvider(staticCredentialsProvider)
                    .build()) {
                List<Bucket> buckets = s3.listBuckets().buckets();
                for (Bucket bucket : buckets) {
                    System.out.println("bucket name: " + bucket.name());
                }
            }
        } catch (StsException | S3Exception e) {
            logger.error(e.getMessage());
            System.exit(1);
        }
    }

中定義的下列權限集 AWS IAM Identity Center 可讓身分識別 (使用者) 執行下列兩項作業

  1. Amazon 簡單存儲服務的GetObject操作。

  2. AssumeRole作業 AWS Security Token Service。

如果沒有假設角色,則示例中顯示的s3.listBuckets()方法將失敗。

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"s3:GetObject",
				"sts:AssumeRole"
			],
			"Resource": [
				"*"
			]
		}
	]
}

假設角色權限原則

下列權限原則會附加至上一個範例中假設的角色。此權限政策允許列出與角色相同帳戶中的所有值區。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

假定角色信任原則

下列信任原則會附加至上一個範例中假設的角色。該策略允許兩個帳戶中的身份(用戶)扮演角色。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::111122223333:root",
                    "arn:aws:iam::555555555555:root"
                ]
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}