文档 AWS SDK 示例 GitHub 存储库中还有更多 [S AWS DK 示例](https://github.com/awsdocs/aws-doc-sdk-examples)。
本文属于机器翻译版本。若本译文内容与英语原文存在差异,则一律以英文原文为准。
# 使用的代码示 AWS STS 例 AWS SDKs
以下代码示例向您展示了如何 AWS Security Token Service 使用 AWS 软件开发套件 (SDK)。
*操作*是大型程序的代码摘录,必须在上下文中运行。您可以通过操作了解如何调用单个服务函数,还可以通过函数相关场景的上下文查看操作。
*场景*是向您展示如何通过在一个服务中调用多个函数或与其他 AWS 服务服务结合来完成特定任务的代码示例。
**更多资源**
+ **[AWS STS 用户指南](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)** —有关的更多信息 AWS STS.
+ **[AWS STS API 参考](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html)**-有关所有可用 AWS STS 操作的详细信息。
+ **[AWS 开发者中心](https://aws.amazon.com/developer/code-examples/?awsf.sdk-code-examples-product=product%23iam)** — 您可以按类别或全文搜索筛选的代码示例。
+ **[AWS SDK 示例](https://github.com/awsdocs/aws-doc-sdk-examples)** — 包含首选语言完整代码的 GitHub 存储库。包括有关设置和运行代码的说明。
**Contents**
+ [基本功能](sts_code_examples_basics.md)
+ [操作](sts_code_examples_actions.md)
+ [`AssumeRole`](sts_example_sts_AssumeRole_section.md)
+ [`AssumeRoleWithWebIdentity`](sts_example_sts_AssumeRoleWithWebIdentity_section.md)
+ [`DecodeAuthorizationMessage`](sts_example_sts_DecodeAuthorizationMessage_section.md)
+ [`GetFederationToken`](sts_example_sts_GetFederationToken_section.md)
+ [`GetSessionToken`](sts_example_sts_GetSessionToken_section.md)
+ [场景](sts_code_examples_scenarios.md)
+ [代入需要 MFA 令牌的 IAM 角色](sts_example_sts_Scenario_AssumeRoleMfa_section.md)
+ [为联合用户构建 URL](sts_example_sts_Scenario_ConstructFederatedUrl_section.md)
+ [获取需要 MFA 令牌的会话令牌](sts_example_sts_Scenario_SessionTokenMfa_section.md)
# 使用的基本示 AWS STS 例 AWS SDKs
以下代码示例说明如何使用 with 的基础 AWS Security Token Service 知识 AWS SDKs。
**Contents**
+ [操作](sts_code_examples_actions.md)
+ [`AssumeRole`](sts_example_sts_AssumeRole_section.md)
+ [`AssumeRoleWithWebIdentity`](sts_example_sts_AssumeRoleWithWebIdentity_section.md)
+ [`DecodeAuthorizationMessage`](sts_example_sts_DecodeAuthorizationMessage_section.md)
+ [`GetFederationToken`](sts_example_sts_GetFederationToken_section.md)
+ [`GetSessionToken`](sts_example_sts_GetSessionToken_section.md)
# 用于 AWS STS 使用的操作 AWS SDKs
以下代码示例演示了如何使用执行单个 AWS STS 操作 AWS SDKs。每个示例都包含一个指向的链接 GitHub,您可以在其中找到有关设置和运行代码的说明。
这些摘录调用 AWS STS API,是大型程序的代码摘录,这些程序必须在上下文中运行。您可以在[AWS STS 使用场景 AWS SDKs](sts_code_examples_scenarios.md)中结合上下文查看操作。
以下示例仅包括最常用的操作。有关完整列表,请参阅 [AWS Security Token Service API 参考](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html)。
**Topics**
+ [`AssumeRole`](sts_example_sts_AssumeRole_section.md)
+ [`AssumeRoleWithWebIdentity`](sts_example_sts_AssumeRoleWithWebIdentity_section.md)
+ [`DecodeAuthorizationMessage`](sts_example_sts_DecodeAuthorizationMessage_section.md)
+ [`GetFederationToken`](sts_example_sts_GetFederationToken_section.md)
+ [`GetSessionToken`](sts_example_sts_GetSessionToken_section.md)
# `AssumeRole`与 AWS SDK 或 CLI 配合使用
以下代码示例演示如何使用 `AssumeRole`。
操作示例是大型程序的代码摘录,必须在上下文中运行。您可以在以下代码示例中查看此操作的上下文:
+ [代入需要 MFA 令牌的 IAM 角色](sts_example_sts_Scenario_AssumeRoleMfa_section.md)
+ [为联合用户构建 URL](sts_example_sts_Scenario_ConstructFederatedUrl_section.md)
------
#### [ .NET ]
**适用于 .NET 的 SDK**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/dotnetv3/STS#code-examples)中查找完整示例,了解如何进行设置和运行。
```
using System;
using System.Threading.Tasks;
using Amazon;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;
namespace AssumeRoleExample
{
class AssumeRole
{
///
/// This example shows how to use the AWS Security Token
/// Service (AWS STS) to assume an IAM role.
///
/// NOTE: It is important that the role that will be assumed has a
/// trust relationship with the account that will assume the role.
///
/// Before you run the example, you need to create the role you want to
/// assume and have it trust the IAM account that will assume that role.
///
/// See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html
/// for help in working with roles.
///
// A region property may be used if the profile or credentials loaded do not specify a region,
// or to use a specific region.
private static readonly RegionEndpoint REGION = RegionEndpoint.USWest2;
static async Task Main()
{
// Create the SecurityToken client and then display the identity of the
// default user.
var roleArnToAssume = "arn:aws:iam::123456789012:role/testAssumeRole";
var client = new Amazon.SecurityToken.AmazonSecurityTokenServiceClient(REGION);
// Get and display the information about the identity of the default user.
var callerIdRequest = new GetCallerIdentityRequest();
var caller = await client.GetCallerIdentityAsync(callerIdRequest);
Console.WriteLine($"Original Caller: {caller.Arn}");
// Create the request to use with the AssumeRoleAsync call.
var assumeRoleReq = new AssumeRoleRequest()
{
DurationSeconds = 1600,
RoleSessionName = "Session1",
RoleArn = roleArnToAssume
};
var assumeRoleRes = await client.AssumeRoleAsync(assumeRoleReq);
// Now create a new client based on the credentials of the caller assuming the role.
var client2 = new AmazonSecurityTokenServiceClient(credentials: assumeRoleRes.Credentials, REGION);
// Get and display information about the caller that has assumed the defined role.
var caller2 = await client2.GetCallerIdentityAsync(callerIdRequest);
Console.WriteLine($"AssumedRole Caller: {caller2.Arn}");
}
}
}
```
+ 有关 API 的详细信息,请参阅 *适用于 .NET 的 AWS SDK API 参考[AssumeRole](https://docs.aws.amazon.com/goto/DotNetSDKV3/sts-2011-06-15/AssumeRole)*中的。
------
#### [ Bash ]
**AWS CLI 使用 Bash 脚本**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/aws-cli/bash-linux/iam#code-examples)中查找完整示例,了解如何进行设置和运行。
```
###############################################################################
# function iecho
#
# This function enables the script to display the specified text only if
# the global variable $VERBOSE is set to true.
###############################################################################
function iecho() {
if [[ $VERBOSE == true ]]; then
echo "$@"
fi
}
###############################################################################
# function errecho
#
# This function outputs everything sent to it to STDERR (standard error output).
###############################################################################
function errecho() {
printf "%s\n" "$*" 1>&2
}
###############################################################################
# function sts_assume_role
#
# This function assumes a role in the AWS account and returns the temporary
# credentials.
#
# Parameters:
# -n role_session_name -- The name of the session.
# -r role_arn -- The ARN of the role to assume.
#
# Returns:
# [access_key_id, secret_access_key, session_token]
# And:
# 0 - If successful.
# 1 - If an error occurred.
###############################################################################
function sts_assume_role() {
local role_session_name role_arn response
local option OPTARG # Required to use getopts command in a function.
# bashsupport disable=BP5008
function usage() {
echo "function sts_assume_role"
echo "Assumes a role in the AWS account and returns the temporary credentials:"
echo " -n role_session_name -- The name of the session."
echo " -r role_arn -- The ARN of the role to assume."
echo ""
}
while getopts n:r:h option; do
case "${option}" in
n) role_session_name=${OPTARG} ;;
r) role_arn=${OPTARG} ;;
h)
usage
return 0
;;
\?)
echo "Invalid parameter"
usage
return 1
;;
esac
done
response=$(aws sts assume-role \
--role-session-name "$role_session_name" \
--role-arn "$role_arn" \
--output text \
--query "Credentials.[AccessKeyId, SecretAccessKey, SessionToken]")
local error_code=${?}
if [[ $error_code -ne 0 ]]; then
aws_cli_error_log $error_code
errecho "ERROR: AWS reports create-role operation failed.\n$response"
return 1
fi
echo "$response"
return 0
}
```
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[AssumeRole](https://docs.aws.amazon.com/goto/aws-cli/sts-2011-06-15/AssumeRole)*中的。
------
#### [ C\$1\$1 ]
**SDK for C\$1\$1**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/cpp/example_code/sts#code-examples)中查找完整示例,了解如何进行设置和运行。
```
bool AwsDoc::STS::assumeRole(const Aws::String &roleArn,
const Aws::String &roleSessionName,
const Aws::String &externalId,
Aws::Auth::AWSCredentials &credentials,
const Aws::Client::ClientConfiguration &clientConfig) {
Aws::STS::STSClient sts(clientConfig);
Aws::STS::Model::AssumeRoleRequest sts_req;
sts_req.SetRoleArn(roleArn);
sts_req.SetRoleSessionName(roleSessionName);
sts_req.SetExternalId(externalId);
const Aws::STS::Model::AssumeRoleOutcome outcome = sts.AssumeRole(sts_req);
if (!outcome.IsSuccess()) {
std::cerr << "Error assuming IAM role. " <<
outcome.GetError().GetMessage() << std::endl;
}
else {
std::cout << "Credentials successfully retrieved." << std::endl;
const Aws::STS::Model::AssumeRoleResult result = outcome.GetResult();
const Aws::STS::Model::Credentials &temp_credentials = result.GetCredentials();
// Store temporary credentials in return argument.
// Note: The credentials object returned by assumeRole differs
// from the AWSCredentials object used in most situations.
credentials.SetAWSAccessKeyId(temp_credentials.GetAccessKeyId());
credentials.SetAWSSecretKey(temp_credentials.GetSecretAccessKey());
credentials.SetSessionToken(temp_credentials.GetSessionToken());
}
return outcome.IsSuccess();
}
```
+ 有关 API 的详细信息,请参阅 *适用于 C\$1\$1 的 AWS SDK API 参考[AssumeRole](https://docs.aws.amazon.com/goto/SdkForCpp/sts-2011-06-15/AssumeRole)*中的。
------
#### [ CLI ]
**AWS CLI**
**要代入角色**
以下 `assume-role` 命令将检索 IAM 角色 `s3-access-example` 的一组短期凭证。
```
aws sts assume-role \
--role-arn arn:aws:iam::123456789012:role/xaccounts3access \
--role-session-name s3-access-example
```
输出:
```
{
"AssumedRoleUser": {
"AssumedRoleId": "AROA3XFRBF535PLBIFPI4:s3-access-example",
"Arn": "arn:aws:sts::123456789012:assumed-role/xaccounts3access/s3-access-example"
},
"Credentials": {
"SecretAccessKey": "9drTJvcXLB89EXAMPLELB8923FB892xMFI",
"SessionToken": "AQoXdzELDDY//////////wEaoAK1wvxJY12r2IrDFT2IvAzTCn3zHoZ7YNtpiQLF0MqZye/qwjzP2iEXAMPLEbw/m3hsj8VBTkPORGvr9jM5sgP+w9IZWZnU+LWhmg+a5fDi2oTGUYcdg9uexQ4mtCHIHfi4citgqZTgco40Yqr4lIlo4V2b2Dyauk0eYFNebHtYlFVgAUj+7Indz3LU0aTWk1WKIjHmmMCIoTkyYp/k7kUG7moeEYKSitwQIi6Gjn+nyzM+PtoA3685ixzv0R7i5rjQi0YE0lf1oeie3bDiNHncmzosRM6SFiPzSvp6h/32xQuZsjcypmwsPSDtTPYcs0+YN/8BRi2/IcrxSpnWEXAMPLEXSDFTAQAM6Dl9zR0tXoybnlrZIwMLlMi1Kcgo5OytwU=",
"Expiration": "2016-03-15T00:05:07Z",
"AccessKeyId": "ASIAJEXAMPLEXEG2JICEA"
}
}
```
该命令的输出包含访问密钥、私有密钥和会话令牌,您可以使用它们对 AWS进行身份验证。
要使用 AWS CLI,您可以设置与角色关联的命名配置文件。当您使用配置文件时, AWS CLI 将调用 assume-role 并为您管理证书。有关更多信息,请参阅 CL [I *用户指南中的在 AWS CL AWS I* 中使用 IAM 角色](https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-role.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[AssumeRole](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html)*中的。
------
#### [ Java ]
**适用于 Java 的 SDK 2.x**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javav2/example_code/sts#code-examples)中查找完整示例,了解如何进行设置和运行。
```
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.StsException;
import software.amazon.awssdk.services.sts.model.AssumeRoleResponse;
import software.amazon.awssdk.services.sts.model.Credentials;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.time.format.FormatStyle;
import java.util.Locale;
/**
* To make this code example work, create a Role that you want to assume.
* Then define a Trust Relationship in the AWS Console. You can use this as an
* example:
*
* {
* "Version":"2012-10-17",
* "Statement": [
* {
* "Effect": "Allow",
* "Principal": {
* "AWS": ""
* },
* "Action": "sts:AssumeRole"
* }
* ]
* }
*
* For more information, see "Editing the Trust Relationship for an Existing
* Role" in the AWS Directory Service guide.
*
* Also, set up your development environment, including your credentials.
*
* For information, see this documentation topic:
*
* https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/get-started.html
*/
public class AssumeRole {
public static void main(String[] args) {
final String usage = """
Usage:
\s
Where:
roleArn - The Amazon Resource Name (ARN) of the role to assume (for example, arn:aws:iam::000008047983:role/s3role).\s
roleSessionName - An identifier for the assumed role session (for example, mysession).\s
""";
if (args.length != 2) {
System.out.println(usage);
System.exit(1);
}
String roleArn = args[0];
String roleSessionName = args[1];
Region region = Region.US_EAST_1;
StsClient stsClient = StsClient.builder()
.region(region)
.build();
assumeGivenRole(stsClient, roleArn, roleSessionName);
stsClient.close();
}
public static void assumeGivenRole(StsClient stsClient, String roleArn, String roleSessionName) {
try {
AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
.roleArn(roleArn)
.roleSessionName(roleSessionName)
.build();
AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
Credentials myCreds = roleResponse.credentials();
// Display the time when the temp creds expire.
Instant exTime = myCreds.expiration();
String tokenInfo = myCreds.sessionToken();
// Convert the Instant to readable date.
DateTimeFormatter formatter = DateTimeFormatter.ofLocalizedDateTime(FormatStyle.SHORT)
.withLocale(Locale.US)
.withZone(ZoneId.systemDefault());
formatter.format(exTime);
System.out.println("The token " + tokenInfo + " expires on " + exTime);
} catch (StsException e) {
System.err.println(e.getMessage());
System.exit(1);
}
}
}
```
+ 有关 API 的详细信息,请参阅 *AWS SDK for Java 2.x API 参考[AssumeRole](https://docs.aws.amazon.com/goto/SdkForJavaV2/sts-2011-06-15/AssumeRole)*中的。
------
#### [ JavaScript ]
**适用于 JavaScript (v3) 的软件开发工具包**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascriptv3/example_code/sts#code-examples)中查找完整示例,了解如何进行设置和运行。
创建客户端。
```
import { STSClient } from "@aws-sdk/client-sts";
// Set the AWS Region.
const REGION = "us-east-1";
// Create an AWS STS service client object.
export const client = new STSClient({ region: REGION });
```
代入 IAM 角色。
```
import { AssumeRoleCommand } from "@aws-sdk/client-sts";
import { client } from "../libs/client.js";
export const main = async () => {
try {
// Returns a set of temporary security credentials that you can use to
// access Amazon Web Services resources that you might not normally
// have access to.
const command = new AssumeRoleCommand({
// The Amazon Resource Name (ARN) of the role to assume.
RoleArn: "ROLE_ARN",
// An identifier for the assumed role session.
RoleSessionName: "session1",
// The duration, in seconds, of the role session. The value specified
// can range from 900 seconds (15 minutes) up to the maximum session
// duration set for the role.
DurationSeconds: 900,
});
const response = await client.send(command);
console.log(response);
} catch (err) {
console.error(err);
}
};
```
+ 有关 API 的详细信息,请参阅 *适用于 JavaScript 的 AWS SDK API 参考[AssumeRole](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/sts/command/AssumeRoleCommand)*中的。
**适用于 JavaScript (v2) 的软件开发工具包**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/javascript/example_code/sts#code-examples)中查找完整示例,了解如何进行设置和运行。
```
// Load the AWS SDK for Node.js
const AWS = require("aws-sdk");
// Set the region
AWS.config.update({ region: "REGION" });
var roleToAssume = {
RoleArn: "arn:aws:iam::123456789012:role/RoleName",
RoleSessionName: "session1",
DurationSeconds: 900,
};
var roleCreds;
// Create the STS service object
var sts = new AWS.STS({ apiVersion: "2011-06-15" });
//Assume Role
sts.assumeRole(roleToAssume, function (err, data) {
if (err) console.log(err, err.stack);
else {
roleCreds = {
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken,
};
stsGetCallerIdentity(roleCreds);
}
});
//Get Arn of current identity
function stsGetCallerIdentity(creds) {
var stsParams = { credentials: creds };
// Create STS service object
var sts = new AWS.STS(stsParams);
sts.getCallerIdentity({}, function (err, data) {
if (err) {
console.log(err, err.stack);
} else {
console.log(data.Arn);
}
});
}
```
+ 有关 API 的详细信息,请参阅 *适用于 JavaScript 的 AWS SDK API 参考[AssumeRole](https://docs.aws.amazon.com/goto/AWSJavaScriptSDK/sts-2011-06-15/AssumeRole)*中的。
------
#### [ PowerShell ]
**适用于 PowerShell V4 的工具**
**示例 1:返回一组临时证书(访问密钥、私有密钥和会话令牌),这些证书可用一小时来访问请求用户通常可能无法访问的 AWS 资源。返回的凭证具有所担任角色的访问策略和所提供策略允许的权限(您不能使用所提供策略授予超出所担任角色访问策略定义权限的权限)。**
```
Use-STSRole -RoleSessionName "Bob" -RoleArn "arn:aws:iam::123456789012:role/demo" -Policy "...JSON policy..." -DurationInSeconds 3600
```
**示例 2:返回一组有效期为一小时的临时凭证,其拥有的权限与所担任角色访问策略中定义的权限相同。**
```
Use-STSRole -RoleSessionName "Bob" -RoleArn "arn:aws:iam::123456789012:role/demo" -DurationInSeconds 3600
```
**示例 3:返回一组临时凭证,提供与用于执行 cmdlet 的用户凭证关联的 MFA 的序列号和生成的令牌。**
```
Use-STSRole -RoleSessionName "Bob" -RoleArn "arn:aws:iam::123456789012:role/demo" -DurationInSeconds 3600 -SerialNumber "GAHT12345678" -TokenCode "123456"
```
**示例 4:返回一组临时凭证,其已承担客户账户中定义的角色。对于第三方可以担任的每个角色,客户账户必须使用每次担任角色时必须在-ExternalId 参数中传递的标识符来创建角色。**
```
Use-STSRole -RoleSessionName "Bob" -RoleArn "arn:aws:iam::123456789012:role/demo" -DurationInSeconds 3600 -ExternalId "ABC123"
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [AssumeRole](https://docs.aws.amazon.com/powershell/v4/reference)中的。
**适用于 PowerShell V5 的工具**
**示例 1:返回一组临时证书(访问密钥、私有密钥和会话令牌),这些证书可用一小时来访问请求用户通常可能无法访问的 AWS 资源。返回的凭证具有所担任角色的访问策略和所提供策略允许的权限(您不能使用所提供策略授予超出所担任角色访问策略定义权限的权限)。**
```
Use-STSRole -RoleSessionName "Bob" -RoleArn "arn:aws:iam::123456789012:role/demo" -Policy "...JSON policy..." -DurationInSeconds 3600
```
**示例 2:返回一组有效期为一小时的临时凭证,其拥有的权限与所担任角色访问策略中定义的权限相同。**
```
Use-STSRole -RoleSessionName "Bob" -RoleArn "arn:aws:iam::123456789012:role/demo" -DurationInSeconds 3600
```
**示例 3:返回一组临时凭证,提供与用于执行 cmdlet 的用户凭证关联的 MFA 的序列号和生成的令牌。**
```
Use-STSRole -RoleSessionName "Bob" -RoleArn "arn:aws:iam::123456789012:role/demo" -DurationInSeconds 3600 -SerialNumber "GAHT12345678" -TokenCode "123456"
```
**示例 4:返回一组临时凭证,其已承担客户账户中定义的角色。对于第三方可以担任的每个角色,客户账户必须使用每次担任角色时必须在-ExternalId 参数中传递的标识符来创建角色。**
```
Use-STSRole -RoleSessionName "Bob" -RoleArn "arn:aws:iam::123456789012:role/demo" -DurationInSeconds 3600 -ExternalId "ABC123"
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [AssumeRole](https://docs.aws.amazon.com/powershell/v5/reference)中的。
------
#### [ Python ]
**适用于 Python 的 SDK(Boto3)**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/sts#code-examples)中查找完整示例,了解如何进行设置和运行。
代入需要 MFA 令牌的 IAM 角色并使用临时凭证列出该账户的 Amazon S3 存储桶。
```
def list_buckets_from_assumed_role_with_mfa(
assume_role_arn, session_name, mfa_serial_number, mfa_totp, sts_client
):
"""
Assumes a role from another account and uses the temporary credentials from
that role to list the Amazon S3 buckets that are owned by the other account.
Requires an MFA device serial number and token.
The assumed role must grant permission to list the buckets in the other account.
:param assume_role_arn: The Amazon Resource Name (ARN) of the role that
grants access to list the other account's buckets.
:param session_name: The name of the STS session.
:param mfa_serial_number: The serial number of the MFA device. For a virtual MFA
device, this is an ARN.
:param mfa_totp: A time-based, one-time password issued by the MFA device.
:param sts_client: A Boto3 STS instance that has permission to assume the role.
"""
response = sts_client.assume_role(
RoleArn=assume_role_arn,
RoleSessionName=session_name,
SerialNumber=mfa_serial_number,
TokenCode=mfa_totp,
)
temp_credentials = response["Credentials"]
print(f"Assumed role {assume_role_arn} and got temporary credentials.")
s3_resource = boto3.resource(
"s3",
aws_access_key_id=temp_credentials["AccessKeyId"],
aws_secret_access_key=temp_credentials["SecretAccessKey"],
aws_session_token=temp_credentials["SessionToken"],
)
print(f"Listing buckets for the assumed role's account:")
for bucket in s3_resource.buckets.all():
print(bucket.name)
```
+ 有关 API 的详细信息,请参阅适用[AssumeRole](https://docs.aws.amazon.com/goto/boto3/sts-2011-06-15/AssumeRole)于 *Python 的AWS SDK (Boto3) API 参考*。
------
#### [ Ruby ]
**适用于 Ruby 的 SDK**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/ruby/example_code/iam#code-examples)中查找完整示例,了解如何进行设置和运行。
```
# Creates an AWS Security Token Service (AWS STS) client with specified credentials.
# This is separated into a factory function so that it can be mocked for unit testing.
#
# @param key_id [String] The ID of the access key used by the STS client.
# @param key_secret [String] The secret part of the access key used by the STS client.
def create_sts_client(key_id, key_secret)
Aws::STS::Client.new(access_key_id: key_id, secret_access_key: key_secret)
end
# Gets temporary credentials that can be used to assume a role.
#
# @param role_arn [String] The ARN of the role that is assumed when these credentials
# are used.
# @param sts_client [AWS::STS::Client] An AWS STS client.
# @return [Aws::AssumeRoleCredentials] The credentials that can be used to assume the role.
def assume_role(role_arn, sts_client)
credentials = Aws::AssumeRoleCredentials.new(
client: sts_client,
role_arn: role_arn,
role_session_name: 'create-use-assume-role-scenario'
)
@logger.info("Assumed role '#{role_arn}', got temporary credentials.")
credentials
end
```
+ 有关 API 的详细信息,请参阅 *适用于 Ruby 的 AWS SDK API 参考[AssumeRole](https://docs.aws.amazon.com/goto/SdkForRubyV3/sts-2011-06-15/AssumeRole)*中的。
------
#### [ Rust ]
**适用于 Rust 的 SDK**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/rustv1/examples/sts/#code-examples)中查找完整示例,了解如何进行设置和运行。
```
async fn assume_role(config: &SdkConfig, role_name: String, session_name: Option) {
let provider = aws_config::sts::AssumeRoleProvider::builder(role_name)
.session_name(session_name.unwrap_or("rust_sdk_example_session".into()))
.configure(config)
.build()
.await;
let local_config = aws_config::from_env()
.credentials_provider(provider)
.load()
.await;
let client = Client::new(&local_config);
let req = client.get_caller_identity();
let resp = req.send().await;
match resp {
Ok(e) => {
println!("UserID : {}", e.user_id().unwrap_or_default());
println!("Account: {}", e.account().unwrap_or_default());
println!("Arn : {}", e.arn().unwrap_or_default());
}
Err(e) => println!("{:?}", e),
}
}
```
+ 有关 API 的详细信息,请参阅适用[AssumeRole](https://docs.rs/aws-sdk-sts/latest/aws_sdk_sts/client/struct.Client.html#method.assume_role)于 *Rust 的AWS SDK API 参考*。
------
#### [ Swift ]
**适用于 Swift 的 SDK**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/swift/example_code/iam#code-examples)中查找完整示例,了解如何进行设置和运行。
```
import AWSSTS
public func assumeRole(role: IAMClientTypes.Role, sessionName: String)
async throws -> STSClientTypes.Credentials
{
let input = AssumeRoleInput(
roleArn: role.arn,
roleSessionName: sessionName
)
do {
let output = try await stsClient.assumeRole(input: input)
guard let credentials = output.credentials else {
throw ServiceHandlerError.authError
}
return credentials
} catch {
print("Error assuming role: ", dump(error))
throw error
}
}
```
+ 有关 API 的详细信息,请参阅适用于 S *wift 的AWS SDK API 参考[AssumeRole](https://sdk.amazonaws.com/swift/api/awssts/latest/documentation/awssts/stsclient/assumerole(input:))*中。
------
# 将 `AssumeRoleWithWebIdentity` 与 CLI 配合使用
以下代码示例演示如何使用 `AssumeRoleWithWebIdentity`。
------
#### [ CLI ]
**AWS CLI**
**获取使用 Web 身份验证的角色的短期证书 (OAuth 2." 0)**
以下 `assume-role-with-web-identity` 命令将检索 IAM 角色 `app1` 的一组短期凭证。使用由指定 Web 身份提供者提供的 Web 身份令牌对请求进行身份验证。两个附加策略应用于会话,以进一步限制用户可以执行的操作。返回的凭证在生成一个小时后过期。
```
aws sts assume-role-with-web-identity \
--duration-seconds 3600 \
--role-session-name "app1" \
--provider-id "www.amazon.com" \
--policy-arns "arn:aws:iam::123456789012:policy/q=webidentitydemopolicy1","arn:aws:iam::123456789012:policy/webidentitydemopolicy2" \
--role-arn arn:aws:iam::123456789012:role/FederatedWebIdentityRole \
--web-identity-token "Atza%7CIQEBLjAsAhRFiXuWpUXuRvQ9PZL3GMFcYevydwIUFAHZwXZXXXXXXXXJnrulxKDHwy87oGKPznh0D6bEQZTSCzyoCtL_8S07pLpr0zMbn6w1lfVZKNTBdDansFBmtGnIsIapjI6xKR02Yc_2bQ8LZbUXSGm6Ry6_BG7PrtLZtj_dfCTj92xNGed-CrKqjG7nPBjNIL016GGvuS5gSvPRUxWES3VYfm1wl7WTI7jn-Pcb6M-buCgHhFOzTQxod27L9CqnOLio7N3gZAGpsp6n1-AJBOCJckcyXe2c6uD0srOJeZlKUm2eTDVMf8IehDVI0r1QOnTV6KzzAI3OY87Vd_cVMQ"
```
输出:
```
{
"SubjectFromWebIdentityToken": "amzn1.account.AF6RHO7KZU5XRVQJGXK6HB56KR2A",
"Audience": "client.5498841531868486423.1548@apps.example.com",
"AssumedRoleUser": {
"Arn": "arn:aws:sts::123456789012:assumed-role/FederatedWebIdentityRole/app1",
"AssumedRoleId": "AROACLKWSDQRAOEXAMPLE:app1"
},
"Credentials": {
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
"SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
"Expiration": "2020-05-19T18:06:10+00:00"
},
"Provider": "www.amazon.com"
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的[请求临时安全凭证](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[AssumeRoleWithWebIdentity](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role-with-web-identity.html)*中的。
------
#### [ PowerShell ]
**适用于 PowerShell V4 的工具**
**示例 1:为已通过 Login with Amazon 身份提供者进行身份验证的用户返回一组临时凭证,有效期为一小时。这些凭证采用与角色 ARN 所标识角色关联的访问策略。或者,您可以将 JSON 策略传递给 -Policy 参数,以进一步细化访问权限(您授予的权限不能超过与该角色关联的权限中可用的权限)。提供给-的值WebIdentityToken 是身份提供商返回的唯一用户标识符。**
```
Use-STSWebIdentityRole -DurationInSeconds 3600 -ProviderId "www.amazon.com" -RoleSessionName "app1" -RoleArn "arn:aws:iam::123456789012:role/FederatedWebIdentityRole" -WebIdentityToken "Atza...DVI0r1"
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/powershell/v4/reference)中的。
**适用于 PowerShell V5 的工具**
**示例 1:为已通过 Login with Amazon 身份提供者进行身份验证的用户返回一组临时凭证,有效期为一小时。这些凭证采用与角色 ARN 所标识角色关联的访问策略。或者,您可以将 JSON 策略传递给 -Policy 参数,以进一步细化访问权限(您授予的权限不能超过与该角色关联的权限中可用的权限)。提供给-的值WebIdentityToken 是身份提供商返回的唯一用户标识符。**
```
Use-STSWebIdentityRole -DurationInSeconds 3600 -ProviderId "www.amazon.com" -RoleSessionName "app1" -RoleArn "arn:aws:iam::123456789012:role/FederatedWebIdentityRole" -WebIdentityToken "Atza...DVI0r1"
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [AssumeRoleWithWebIdentity](https://docs.aws.amazon.com/powershell/v5/reference)中的。
------
# 将 `DecodeAuthorizationMessage` 与 CLI 配合使用
以下代码示例演示如何使用 `DecodeAuthorizationMessage`。
------
#### [ CLI ]
**AWS CLI**
**解码为响应请求而返回的编码授权消息**
以下 `decode-authorization-message` 示例从为响应 Amazon Web Services 请求而返回的编码消息中解码有关请求授权状态的其他信息。
```
aws sts decode-authorization-message \
--encoded-message EXAMPLEWodyRNrtlQARDip-eTA6i6DrlUhHhPQrLWB_lAbl5pAKxl9mPDLexYcGBreyIKQC1BGBIpBKr3dFDkwqeO7e2NMk5j_hmzAiChJN-8oy3EwiCjkUW5fdRNjcRvscGlUo_MhqHqHpR-Ojau7BMjOTWwOtHPhV_Zaz87yENdipr745EjQwRd5LaoL3vN8_5ZfA9UiBMKDgVh1gjqZJFUiQoubv78V1RbHNYnK44ElGKmUWYa020I1y6TNS9LXoNmc62GzkfGvoPGhD13br5tXEOo1rAm3vsPewRDFNkYL-4_1MWWezhRNEpqvXBDXLI9xEux7YYkRtjd45NJLFzZynBUubV8NHOevVuighd1Mvz3OiA-1_oPSe4TBtjfN9s7kjU1z70WpVbUgrLVp1xXTK1rf9Ea7t8shPd-3VzKhjS5tLrweFxNOKwV2GtT76B_fRp8HTYz-pOu3FZjwYStfvTb3GHs3-6rLribGO9jZOktkfE6vqxlFzLyeDr4P2ihC1wty9tArCvvGzIAUNmARQJ2VVWPxioqgoqCzMaDMZEO7wkku7QeakEVZdf00qlNLMmcaVZb1UPNqD-JWP5pwe_mAyqh0NLw-r1S56YC_90onj9A80sNrHlI-tIiNd7tgNTYzDuPQYD2FMDBnp82V9eVmYGtPp5NIeSpuf3fOHanFuBZgENxZQZ2dlH3xJGMTtYayzZrRXjiq_SfX9zeBbpCvrD-0AJK477RM84vmtCrsUpJgx-FaoPIb8LmmKVBLpIB0iFhU9sEHPqKHVPi6jdxXqKaZaFGvYVmVOiuQdNQKuyk0p067POFrZECLjjOtNPBOZCcuEKEXAMPLE
```
输出:
```
{
"DecodedMessage": "{\"allowed\":false,\"explicitDeny\":true,\"matchedStatements\":{\"items\":[{\"statementId\":\"VisualEditor0\",\"effect\":\"DENY\",\"principals\":{\"items\":[{\"value\":\"AROA123456789EXAMPLE\"}]},\"principalGroups\":{\"items\":[]},\"actions\":{\"items\":[{\"value\":\"ec2:RunInstances\"}]},\"resources\":{\"items\":[{\"value\":\"*\"}]},\"conditions\":{\"items\":[]}}]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AROA123456789EXAMPLE:Ana\",\"arn\":\"arn:aws:sts::111122223333:assumed-role/Developer/Ana\"},\"action\":\"RunInstances\",\"resource\":\"arn:aws:ec2:us-east-1:111122223333:instance/*\",\"conditions\":{\"items\":[{\"key\":\"ec2:MetadataHttpPutResponseHopLimit\",\"values\":{\"items\":[{\"value\":\"2\"}]}},{\"key\":\"ec2:InstanceMarketType\",\"values\":{\"items\":[{\"value\":\"on-demand\"}]}},{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"instance/*\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"111122223333\"}]}},{\"key\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"us-east-1f\"}]}},{\"key\":\"ec2:ebsOptimized\",\"values\":{\"items\":[{\"value\":\"false\"}]}},{\"key\":\"ec2:IsLaunchTemplateResource\",\"values\":{\"items\":[{\"value\":\"false\"}]}},{\"key\":\"ec2:InstanceType\",\"values\":{\"items\":[{\"value\":\"t2.micro\"}]}},{\"key\":\"ec2:RootDeviceType\",\"values\":{\"items\":[{\"value\":\"ebs\"}]}},{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"ec2:MetadataHttpEndpoint\",\"values\":{\"items\":[{\"value\":\"enabled\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"ec2:InstanceID\",\"values\":{\"items\":[{\"value\":\"*\"}]}},{\"key\":\"ec2:MetadataHttpTokens\",\"values\":{\"items\":[{\"value\":\"required\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"instance\"}]}},{\"key\":\"ec2:Tenancy\",\"values\":{\"items\":[{\"value\":\"default\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"us-east-1\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:us-east-1:111122223333:instance/*\"}]}}]}}}"
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的[策略评估逻辑](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[DecodeAuthorizationMessage](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/decode-authorization-message.html)*中的。
------
#### [ PowerShell ]
**适用于 PowerShell V4 的工具**
**示例 1:对为响应请求而返回的所提供编码消息内容中包含的其他信息进行解码。对其他信息进行编码的原因是,授权状态的详细信息可能构成请求操作的用户不应看到的特权信息。**
```
Convert-STSAuthorizationMessage -EncodedMessage "...encoded message..."
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [DecodeAuthorizationMessage](https://docs.aws.amazon.com/powershell/v4/reference)中的。
**适用于 PowerShell V5 的工具**
**示例 1:对为响应请求而返回的所提供编码消息内容中包含的其他信息进行解码。对其他信息进行编码的原因是,授权状态的详细信息可能构成请求操作的用户不应看到的特权信息。**
```
Convert-STSAuthorizationMessage -EncodedMessage "...encoded message..."
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [DecodeAuthorizationMessage](https://docs.aws.amazon.com/powershell/v5/reference)中的。
------
# 将 `GetFederationToken` 与 CLI 配合使用
以下代码示例演示如何使用 `GetFederationToken`。
------
#### [ CLI ]
**AWS CLI**
**使用 IAM 用户访问密钥凭证返回一组临时的安全凭证**
以下 `get-federation-token` 示例返回用户的一组临时安全凭证(由访问密钥 ID、秘密访问密钥和安全令牌组成)。您必须使用 IAM 用户的长期安全凭证调用 `GetFederationToken` 操作。
```
aws sts get-federation-token \
--name Bob \
--policy file://myfile.json \
--policy-arns arn=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess \
--duration-seconds 900
```
`myfile.json` 的内容:
```
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "elasticloadbalancing:Describe*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics",
"cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*",
"Resource": "*"
}
]
}
```
输出:
```
{
"Credentials": {
"AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"SessionToken": "EXAMPLEpZ2luX2VjEGoaCXVzLXdlc3QtMiJIMEYCIQC/W9pL5ArQyDD5JwFL3/h5+WGopQ24GEXweNctwhi9sgIhAMkg+MZE35iWM8s4r5Lr25f9rSTVPFH98G42QQunWMTfKq0DCOP//////////wEQAxoMNDUyOTI1MTcwNTA3Igxuy3AOpuuoLsk3MJwqgQPg8QOd9HuoClUxq26wnc/nm+eZLjHDyGf2KUAHK2DuaS/nrGSEXAMPLE",
"Expiration": "2023-12-20T02:06:07+00:00"
},
"FederatedUser": {
"FederatedUserId": "111122223333:Bob",
"Arn": "arn:aws:sts::111122223333:federated-user/Bob"
},
"PackedPolicySize": 36
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的[请求临时安全凭证](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[GetFederationToken](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-federation-token.html)*中的。
------
#### [ PowerShell ]
**适用于 PowerShell V4 的工具**
**示例 1:使用“Bob”作为联合用户的名称,请求有效期为一小时的联合令牌。此名称可用于引用基于资源的策略(例如 Amazon S3 存储桶策略)中的联合用户名。以 JSON 格式提供的 IAM 策略可用于缩小 IAM 用户可用权限的范围。提供的策略授予的权限不能超过授予请求用户的权限,联合用户的最终权限是,基于传递的策略和 IAM 用户策略交集的限制性最强的集合。**
```
Get-STSFederationToken -Name "Bob" -Policy "...JSON policy..." -DurationInSeconds 3600
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetFederationToken](https://docs.aws.amazon.com/powershell/v4/reference)中的。
**适用于 PowerShell V5 的工具**
**示例 1:使用“Bob”作为联合用户的名称,请求有效期为一小时的联合令牌。此名称可用于引用基于资源的策略(例如 Amazon S3 存储桶策略)中的联合用户名。以 JSON 格式提供的 IAM 策略可用于缩小 IAM 用户可用权限的范围。提供的策略授予的权限不能超过授予请求用户的权限,联合用户的最终权限是,基于传递的策略和 IAM 用户策略交集的限制性最强的集合。**
```
Get-STSFederationToken -Name "Bob" -Policy "...JSON policy..." -DurationInSeconds 3600
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetFederationToken](https://docs.aws.amazon.com/powershell/v5/reference)中的。
------
# `GetSessionToken`与 AWS SDK 或 CLI 配合使用
以下代码示例演示如何使用 `GetSessionToken`。
操作示例是大型程序的代码摘录,必须在上下文中运行。在以下代码示例中,您可以查看此操作的上下文:
+ [获取需要 MFA 令牌的会话令牌](sts_example_sts_Scenario_SessionTokenMfa_section.md)
------
#### [ CLI ]
**AWS CLI**
**要获取 IAM 身份的一组短期凭证**
以下 `get-session-token` 命令将检索进行调用的 IAM 身份的一组短期凭证。生成的凭证可用于策略要求多重身份验证(MFA)的请求。凭证在生成 15 分钟后过期。
```
aws sts get-session-token \
--duration-seconds 900 \
--serial-number "YourMFADeviceSerialNumber" \
--token-code 123456
```
输出:
```
{
"Credentials": {
"AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
"SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
"Expiration": "2020-05-19T18:06:10+00:00"
}
}
```
有关更多信息,请参阅《AWS IAM 用户指南》**中的[请求临时安全凭证](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)。
+ 有关 API 的详细信息,请参阅*AWS CLI 命令参考[GetSessionToken](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-session-token.html)*中的。
------
#### [ PowerShell ]
**适用于 PowerShell V4 的工具**
**示例 1:返回包含在设定时间段内有效的临时凭证的 `Amazon.RuntimeAWSCredentials` 实例。用于请求临时凭证的凭证是根据当前 shell 默认值推断出来的。要指定其他凭据,请使用-ProfileName 或-AccessKey /-SecretKey 参数。**
```
Get-STSSessionToken
```
**输出**:
```
AccessKeyId Expiration SecretAccessKey SessionToken
----------- ---------- --------------- ------------
EXAMPLEACCESSKEYID 2/16/2015 9:12:28 PM examplesecretaccesskey... SamPleTokeN.....
```
**示例 2:返回包含有效期为一小时的临时凭证的 `Amazon.RuntimeAWSCredentials` 实例。用于发出请求的凭证是从指定的配置文件中获得的。**
```
Get-STSSessionToken -DurationInSeconds 3600 -ProfileName myprofile
```
**输出**:
```
AccessKeyId Expiration SecretAccessKey SessionToken
----------- ---------- --------------- ------------
EXAMPLEACCESSKEYID 2/16/2015 9:12:28 PM examplesecretaccesskey... SamPleTokeN.....
```
**示例 3:使用与其凭证在配置文件“myprofilename”中指定的账户关联的 MFA 设备的标识号和该设备提供的值,返回包含有效期为一小时的临时凭证的 `Amazon.RuntimeAWSCredentials` 实例。**
```
Get-STSSessionToken -DurationInSeconds 3600 -ProfileName myprofile -SerialNumber YourMFADeviceSerialNumber -TokenCode 123456
```
**输出**:
```
AccessKeyId Expiration SecretAccessKey SessionToken
----------- ---------- --------------- ------------
EXAMPLEACCESSKEYID 2/16/2015 9:12:28 PM examplesecretaccesskey... SamPleTokeN.....
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 4) [GetSessionToken](https://docs.aws.amazon.com/powershell/v4/reference)中的。
**适用于 PowerShell V5 的工具**
**示例 1:返回包含在设定时间段内有效的临时凭证的 `Amazon.RuntimeAWSCredentials` 实例。用于请求临时凭证的凭证是根据当前 shell 默认值推断出来的。要指定其他凭据,请使用-ProfileName 或-AccessKey /-SecretKey 参数。**
```
Get-STSSessionToken
```
**输出**:
```
AccessKeyId Expiration SecretAccessKey SessionToken
----------- ---------- --------------- ------------
EXAMPLEACCESSKEYID 2/16/2015 9:12:28 PM examplesecretaccesskey... SamPleTokeN.....
```
**示例 2:返回包含有效期为一小时的临时凭证的 `Amazon.RuntimeAWSCredentials` 实例。用于发出请求的凭证是从指定的配置文件中获得的。**
```
Get-STSSessionToken -DurationInSeconds 3600 -ProfileName myprofile
```
**输出**:
```
AccessKeyId Expiration SecretAccessKey SessionToken
----------- ---------- --------------- ------------
EXAMPLEACCESSKEYID 2/16/2015 9:12:28 PM examplesecretaccesskey... SamPleTokeN.....
```
**示例 3:使用与其凭证在配置文件“myprofilename”中指定的账户关联的 MFA 设备的标识号和该设备提供的值,返回包含有效期为一小时的临时凭证的 `Amazon.RuntimeAWSCredentials` 实例。**
```
Get-STSSessionToken -DurationInSeconds 3600 -ProfileName myprofile -SerialNumber YourMFADeviceSerialNumber -TokenCode 123456
```
**输出**:
```
AccessKeyId Expiration SecretAccessKey SessionToken
----------- ---------- --------------- ------------
EXAMPLEACCESSKEYID 2/16/2015 9:12:28 PM examplesecretaccesskey... SamPleTokeN.....
```
+ 有关 API 的详细信息,请参阅 *AWS Tools for PowerShell Cmdlet 参考 (V* 5) [GetSessionToken](https://docs.aws.amazon.com/powershell/v5/reference)中的。
------
#### [ Python ]
**适用于 Python 的 SDK(Boto3)**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/sts#code-examples)中查找完整示例,了解如何进行设置和运行。
通过传递 MFA 令牌获取会话令牌,然后使用令牌列出账户的 Amazon S3 存储桶。
```
def list_buckets_with_session_token_with_mfa(mfa_serial_number, mfa_totp, sts_client):
"""
Gets a session token with MFA credentials and uses the temporary session
credentials to list Amazon S3 buckets.
Requires an MFA device serial number and token.
:param mfa_serial_number: The serial number of the MFA device. For a virtual MFA
device, this is an Amazon Resource Name (ARN).
:param mfa_totp: A time-based, one-time password issued by the MFA device.
:param sts_client: A Boto3 STS instance that has permission to assume the role.
"""
if mfa_serial_number is not None:
response = sts_client.get_session_token(
SerialNumber=mfa_serial_number, TokenCode=mfa_totp
)
else:
response = sts_client.get_session_token()
temp_credentials = response["Credentials"]
s3_resource = boto3.resource(
"s3",
aws_access_key_id=temp_credentials["AccessKeyId"],
aws_secret_access_key=temp_credentials["SecretAccessKey"],
aws_session_token=temp_credentials["SessionToken"],
)
print(f"Buckets for the account:")
for bucket in s3_resource.buckets.all():
print(bucket.name)
```
+ 有关 API 的详细信息,请参阅适用[GetSessionToken](https://docs.aws.amazon.com/goto/boto3/sts-2011-06-15/GetSessionToken)于 *Python 的AWS SDK (Boto3) API 参考*。
------
# AWS STS 使用场景 AWS SDKs
以下代码示例向您展示了如何在中 AWS STS 实现常见场景 AWS SDKs。这些场景向您展示了如何通过在其中调用多个函数 AWS STS 或与其他函数组合来完成特定任务 AWS 服务。每个场景都包含完整源代码的链接,您可以在其中找到有关如何设置和运行代码的说明。
场景以中等水平的经验为目标,可帮助您结合具体环境了解服务操作。
**Topics**
+ [代入需要 MFA 令牌的 IAM 角色](sts_example_sts_Scenario_AssumeRoleMfa_section.md)
+ [为联合用户构建 URL](sts_example_sts_Scenario_ConstructFederatedUrl_section.md)
+ [获取需要 MFA 令牌的会话令牌](sts_example_sts_Scenario_SessionTokenMfa_section.md)
# AWS STS 使用软件开发工具包假设一个需要 MFA 令牌的 IAM 角色 AWS
以下代码示例显示了如何代入需要 MFA 令牌的角色。
**警告**
为了避免安全风险,在开发专用软件或处理真实数据时,请勿使用 IAM 用户进行身份验证。而是使用与身份提供商的联合身份验证,例如 [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)。
+ 创建一个 IAM 角色,该角色授予列出 Amazon S3 存储桶的权限。
+ 创建一个 IAM 用户,该用户仅在提供 MFA 凭证时才有权代入角色。
+ 为该用户注册一个 MFA 设备。
+ 代入该角色并使用临时凭证列出 S3 存储桶。
------
#### [ Python ]
**适用于 Python 的 SDK(Boto3)**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/sts#code-examples)中查找完整示例,了解如何进行设置和运行。
创建一个 IAM 用户,注册一个 MFA 设备,然后创建一个角色,该角色授予列出 S3 存储桶的权限。用户仅具有代入该角色的权限。
```
def setup(iam_resource):
"""
Creates a new user with no permissions.
Creates a new virtual MFA device.
Displays the QR code to seed the device.
Asks for two codes from the MFA device.
Registers the MFA device for the user.
Creates an access key pair for the user.
Creates a role with a policy that lets the user assume the role and requires MFA.
Creates a policy that allows listing Amazon S3 buckets.
Attaches the policy to the role.
Creates an inline policy for the user that lets the user assume the role.
For demonstration purposes, the user is created in the same account as the role,
but in practice the user would likely be from another account.
Any MFA device that can scan a QR code will work with this demonstration.
Common choices are mobile apps like LastPass Authenticator,
Microsoft Authenticator, or Google Authenticator.
:param iam_resource: A Boto3 AWS Identity and Access Management (IAM) resource
that has permissions to create users, roles, and policies
in the account.
:return: The newly created user, user key, virtual MFA device, and role.
"""
user = iam_resource.create_user(UserName=unique_name("user"))
print(f"Created user {user.name}.")
virtual_mfa_device = iam_resource.create_virtual_mfa_device(
VirtualMFADeviceName=unique_name("mfa")
)
print(f"Created virtual MFA device {virtual_mfa_device.serial_number}")
print(
f"Showing the QR code for the device. Scan this in the MFA app of your "
f"choice."
)
with open("qr.png", "wb") as qr_file:
qr_file.write(virtual_mfa_device.qr_code_png)
webbrowser.open(qr_file.name)
print(f"Enter two consecutive code from your MFA device.")
mfa_code_1 = input("Enter the first code: ")
mfa_code_2 = input("Enter the second code: ")
user.enable_mfa(
SerialNumber=virtual_mfa_device.serial_number,
AuthenticationCode1=mfa_code_1,
AuthenticationCode2=mfa_code_2,
)
os.remove(qr_file.name)
print(f"MFA device is registered with the user.")
user_key = user.create_access_key_pair()
print(f"Created access key pair for user.")
print(f"Wait for user to be ready.", end="")
progress_bar(10)
role = iam_resource.create_role(
RoleName=unique_name("role"),
AssumeRolePolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": user.arn},
"Action": "sts:AssumeRole",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": True}},
}
],
}
),
)
print(f"Created role {role.name} that requires MFA.")
policy = iam_resource.create_policy(
PolicyName=unique_name("policy"),
PolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
}
],
}
),
)
role.attach_policy(PolicyArn=policy.arn)
print(f"Created policy {policy.policy_name} and attached it to the role.")
user.create_policy(
PolicyName=unique_name("user-policy"),
PolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": role.arn,
}
],
}
),
)
print(
f"Created an inline policy for {user.name} that lets the user assume "
f"the role."
)
print("Give AWS time to propagate these new resources and connections.", end="")
progress_bar(10)
return user, user_key, virtual_mfa_device, role
```
显示不允许代入没有 MFA 令牌的角色。
```
def try_to_assume_role_without_mfa(assume_role_arn, session_name, sts_client):
"""
Shows that attempting to assume the role without sending MFA credentials results
in an AccessDenied error.
:param assume_role_arn: The Amazon Resource Name (ARN) of the role to assume.
:param session_name: The name of the STS session.
:param sts_client: A Boto3 STS instance that has permission to assume the role.
"""
print(f"Trying to assume the role without sending MFA credentials...")
try:
sts_client.assume_role(RoleArn=assume_role_arn, RoleSessionName=session_name)
raise RuntimeError("Expected AccessDenied error.")
except ClientError as error:
if error.response["Error"]["Code"] == "AccessDenied":
print("Got AccessDenied.")
else:
raise
```
代入授予列出 S3 存储桶权限的角色,传递所需的 MFA 令牌,并显示可以列出的存储桶。
```
def list_buckets_from_assumed_role_with_mfa(
assume_role_arn, session_name, mfa_serial_number, mfa_totp, sts_client
):
"""
Assumes a role from another account and uses the temporary credentials from
that role to list the Amazon S3 buckets that are owned by the other account.
Requires an MFA device serial number and token.
The assumed role must grant permission to list the buckets in the other account.
:param assume_role_arn: The Amazon Resource Name (ARN) of the role that
grants access to list the other account's buckets.
:param session_name: The name of the STS session.
:param mfa_serial_number: The serial number of the MFA device. For a virtual MFA
device, this is an ARN.
:param mfa_totp: A time-based, one-time password issued by the MFA device.
:param sts_client: A Boto3 STS instance that has permission to assume the role.
"""
response = sts_client.assume_role(
RoleArn=assume_role_arn,
RoleSessionName=session_name,
SerialNumber=mfa_serial_number,
TokenCode=mfa_totp,
)
temp_credentials = response["Credentials"]
print(f"Assumed role {assume_role_arn} and got temporary credentials.")
s3_resource = boto3.resource(
"s3",
aws_access_key_id=temp_credentials["AccessKeyId"],
aws_secret_access_key=temp_credentials["SecretAccessKey"],
aws_session_token=temp_credentials["SessionToken"],
)
print(f"Listing buckets for the assumed role's account:")
for bucket in s3_resource.buckets.all():
print(bucket.name)
```
销毁为演示创建的资源。
```
def teardown(user, virtual_mfa_device, role):
"""
Removes all resources created during setup.
:param user: The demo user.
:param role: The demo role.
"""
for attached in role.attached_policies.all():
policy_name = attached.policy_name
role.detach_policy(PolicyArn=attached.arn)
attached.delete()
print(f"Detached and deleted {policy_name}.")
role.delete()
print(f"Deleted {role.name}.")
for user_pol in user.policies.all():
user_pol.delete()
print("Deleted inline user policy.")
for key in user.access_keys.all():
key.delete()
print("Deleted user's access key.")
for mfa in user.mfa_devices.all():
mfa.disassociate()
virtual_mfa_device.delete()
user.delete()
print(f"Deleted {user.name}.")
```
使用之前定义的函数运行此方案。
```
def usage_demo():
"""Drives the demonstration."""
print("-" * 88)
print(
f"Welcome to the AWS Security Token Service assume role demo, "
f"starring multi-factor authentication (MFA)!"
)
print("-" * 88)
iam_resource = boto3.resource("iam")
user, user_key, virtual_mfa_device, role = setup(iam_resource)
print(f"Created {user.name} and {role.name}.")
try:
sts_client = boto3.client(
"sts", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret
)
try_to_assume_role_without_mfa(role.arn, "demo-sts-session", sts_client)
mfa_totp = input("Enter the code from your registered MFA device: ")
list_buckets_from_assumed_role_with_mfa(
role.arn,
"demo-sts-session",
virtual_mfa_device.serial_number,
mfa_totp,
sts_client,
)
finally:
teardown(user, virtual_mfa_device, role)
print("Thanks for watching!")
```
+ 有关 API 的详细信息,请参阅适用[AssumeRole](https://docs.aws.amazon.com/goto/boto3/sts-2011-06-15/AssumeRole)于 *Python 的AWS SDK (Boto3) API 参考*。
------
# 使用 AWS SDK AWS STS 为联合用户构建 URL
以下代码示例展示了如何:
+ 创建一个 IAM 角色,该角色授予对当前账户的 Amazon S3 资源的只读访问权限。
+ 从 AWS 联合终端节点获取安全令牌。
+ 构建一个可以用于通过联合凭证访问控制台的 URL。
------
#### [ Python ]
**适用于 Python 的 SDK(Boto3)**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/sts#code-examples)中查找完整示例,了解如何进行设置和运行。
创建一个角色,该角色授予对当前账户的 S3 资源的只读访问权限。
```
def setup(iam_resource):
"""
Creates a role that can be assumed by the current user.
Attaches a policy that allows only Amazon S3 read-only access.
:param iam_resource: A Boto3 AWS Identity and Access Management (IAM) instance
that has the permission to create a role.
:return: The newly created role.
"""
role = iam_resource.create_role(
RoleName=unique_name("role"),
AssumeRolePolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": iam_resource.CurrentUser().arn},
"Action": "sts:AssumeRole",
}
],
}
),
)
role.attach_policy(PolicyArn="arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess")
print(f"Created role {role.name}.")
print("Give AWS time to propagate these new resources and connections.", end="")
progress_bar(10)
return role
```
从 AWS 联合终端节点获取安全令牌,并构造一个可用于使用联合凭证访问控制台的 URL。
```
def construct_federated_url(assume_role_arn, session_name, issuer, sts_client):
"""
Constructs a URL that gives federated users direct access to the AWS Management
Console.
1. Acquires temporary credentials from AWS Security Token Service (AWS STS) that
can be used to assume a role with limited permissions.
2. Uses the temporary credentials to request a sign-in token from the
AWS federation endpoint.
3. Builds a URL that can be used in a browser to navigate to the AWS federation
endpoint, includes the sign-in token for authentication, and redirects to
the AWS Management Console with permissions defined by the role that was
specified in step 1.
:param assume_role_arn: The role that specifies the permissions that are granted.
The current user must have permission to assume the role.
:param session_name: The name for the STS session.
:param issuer: The organization that issues the URL.
:param sts_client: A Boto3 STS instance that can assume the role.
:return: The federated URL.
"""
response = sts_client.assume_role(
RoleArn=assume_role_arn, RoleSessionName=session_name
)
temp_credentials = response["Credentials"]
print(f"Assumed role {assume_role_arn} and got temporary credentials.")
session_data = {
"sessionId": temp_credentials["AccessKeyId"],
"sessionKey": temp_credentials["SecretAccessKey"],
"sessionToken": temp_credentials["SessionToken"],
}
aws_federated_signin_endpoint = "https://signin.aws.amazon.com/federation"
# Make a request to the AWS federation endpoint to get a sign-in token.
# The requests.get function URL-encodes the parameters and builds the query string
# before making the request.
response = requests.get(
aws_federated_signin_endpoint,
params={
"Action": "getSigninToken",
"SessionDuration": str(datetime.timedelta(hours=12).seconds),
"Session": json.dumps(session_data),
},
)
signin_token = json.loads(response.text)
print(f"Got a sign-in token from the AWS sign-in federation endpoint.")
# Make a federated URL that can be used to sign into the AWS Management Console.
query_string = urllib.parse.urlencode(
{
"Action": "login",
"Issuer": issuer,
"Destination": "https://console.aws.amazon.com/",
"SigninToken": signin_token["SigninToken"],
}
)
federated_url = f"{aws_federated_signin_endpoint}?{query_string}"
return federated_url
```
销毁为演示创建的资源。
```
def teardown(role):
"""
Removes all resources created during setup.
:param role: The demo role.
"""
for attached in role.attached_policies.all():
role.detach_policy(PolicyArn=attached.arn)
print(f"Detached {attached.policy_name}.")
role.delete()
print(f"Deleted {role.name}.")
```
使用之前定义的函数运行此方案。
```
def usage_demo():
"""Drives the demonstration."""
print("-" * 88)
print(f"Welcome to the AWS Security Token Service federated URL demo.")
print("-" * 88)
iam_resource = boto3.resource("iam")
role = setup(iam_resource)
sts_client = boto3.client("sts")
try:
federated_url = construct_federated_url(
role.arn, "AssumeRoleDemoSession", "example.org", sts_client
)
print(
"Constructed a federated URL that can be used to connect to the "
"AWS Management Console with role-defined permissions:"
)
print("-" * 88)
print(federated_url)
print("-" * 88)
_ = input(
"Copy and paste the above URL into a browser to open the AWS "
"Management Console with limited permissions. When done, press "
"Enter to clean up and complete this demo."
)
finally:
teardown(role)
print("Thanks for watching!")
```
+ 有关 API 的详细信息,请参阅适用[AssumeRole](https://docs.aws.amazon.com/goto/boto3/sts-2011-06-15/AssumeRole)于 *Python 的AWS SDK (Boto3) API 参考*。
------
# AWS STS 使用 SDK 获取需要 MFA 令牌的会话令牌 AWS
以下代码示例显示如何获取需要 MFA 令牌的会话令牌。
**警告**
为了避免安全风险,在开发专用软件或处理真实数据时,请勿使用 IAM 用户进行身份验证。而是使用与身份提供商的联合身份验证,例如 [AWS IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html)。
+ 创建一个 IAM 角色,该角色授予列出 Amazon S3 存储桶的权限。
+ 创建一个 IAM 用户,该用户仅在提供 MFA 凭证时才有权代入角色。
+ 为该用户注册一个 MFA 设备。
+ 提供 MFA 凭证以获取会话令牌,并使用临时凭证列出 S3 存储桶。
------
#### [ Python ]
**适用于 Python 的 SDK(Boto3)**
还有更多相关信息 GitHub。在 [AWS 代码示例存储库](https://github.com/awsdocs/aws-doc-sdk-examples/tree/main/python/example_code/sts#code-examples)中查找完整示例,了解如何进行设置和运行。
创建一个 IAM 用户,注册一个 MFA 设备,然后创建一个角色,该角色授予仅在使用 MFA 凭证时允许用户列出 S3 存储桶的权限。
```
def setup(iam_resource):
"""
Creates a new user with no permissions.
Creates a new virtual multi-factor authentication (MFA) device.
Displays the QR code to seed the device.
Asks for two codes from the MFA device.
Registers the MFA device for the user.
Creates an access key pair for the user.
Creates an inline policy for the user that lets the user list Amazon S3 buckets,
but only when MFA credentials are used.
Any MFA device that can scan a QR code will work with this demonstration.
Common choices are mobile apps like LastPass Authenticator,
Microsoft Authenticator, or Google Authenticator.
:param iam_resource: A Boto3 AWS Identity and Access Management (IAM) resource
that has permissions to create users, MFA devices, and
policies in the account.
:return: The newly created user, user key, and virtual MFA device.
"""
user = iam_resource.create_user(UserName=unique_name("user"))
print(f"Created user {user.name}.")
virtual_mfa_device = iam_resource.create_virtual_mfa_device(
VirtualMFADeviceName=unique_name("mfa")
)
print(f"Created virtual MFA device {virtual_mfa_device.serial_number}")
print(
f"Showing the QR code for the device. Scan this in the MFA app of your "
f"choice."
)
with open("qr.png", "wb") as qr_file:
qr_file.write(virtual_mfa_device.qr_code_png)
webbrowser.open(qr_file.name)
print(f"Enter two consecutive code from your MFA device.")
mfa_code_1 = input("Enter the first code: ")
mfa_code_2 = input("Enter the second code: ")
user.enable_mfa(
SerialNumber=virtual_mfa_device.serial_number,
AuthenticationCode1=mfa_code_1,
AuthenticationCode2=mfa_code_2,
)
os.remove(qr_file.name)
print(f"MFA device is registered with the user.")
user_key = user.create_access_key_pair()
print(f"Created access key pair for user.")
print(f"Wait for user to be ready.", end="")
progress_bar(10)
user.create_policy(
PolicyName=unique_name("user-policy"),
PolicyDocument=json.dumps(
{
"Version":"2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "s3:ListAllMyBuckets",
"Resource": "arn:aws:s3:::*",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": True}},
}
],
}
),
)
print(
f"Created an inline policy for {user.name} that lets the user list buckets, "
f"but only when MFA credentials are present."
)
print("Give AWS time to propagate these new resources and connections.", end="")
progress_bar(10)
return user, user_key, virtual_mfa_device
```
通过传递 MFA 令牌获取临时会话凭证,并使用凭证列出账户的 S3 存储桶。
```
def list_buckets_with_session_token_with_mfa(mfa_serial_number, mfa_totp, sts_client):
"""
Gets a session token with MFA credentials and uses the temporary session
credentials to list Amazon S3 buckets.
Requires an MFA device serial number and token.
:param mfa_serial_number: The serial number of the MFA device. For a virtual MFA
device, this is an Amazon Resource Name (ARN).
:param mfa_totp: A time-based, one-time password issued by the MFA device.
:param sts_client: A Boto3 STS instance that has permission to assume the role.
"""
if mfa_serial_number is not None:
response = sts_client.get_session_token(
SerialNumber=mfa_serial_number, TokenCode=mfa_totp
)
else:
response = sts_client.get_session_token()
temp_credentials = response["Credentials"]
s3_resource = boto3.resource(
"s3",
aws_access_key_id=temp_credentials["AccessKeyId"],
aws_secret_access_key=temp_credentials["SecretAccessKey"],
aws_session_token=temp_credentials["SessionToken"],
)
print(f"Buckets for the account:")
for bucket in s3_resource.buckets.all():
print(bucket.name)
```
销毁为演示创建的资源。
```
def teardown(user, virtual_mfa_device):
"""
Removes all resources created during setup.
:param user: The demo user.
:param role: The demo MFA device.
"""
for user_pol in user.policies.all():
user_pol.delete()
print("Deleted inline user policy.")
for key in user.access_keys.all():
key.delete()
print("Deleted user's access key.")
for mfa in user.mfa_devices.all():
mfa.disassociate()
virtual_mfa_device.delete()
user.delete()
print(f"Deleted {user.name}.")
```
使用之前定义的函数运行此方案。
```
def usage_demo():
"""Drives the demonstration."""
print("-" * 88)
print(
f"Welcome to the AWS Security Token Service assume role demo, "
f"starring multi-factor authentication (MFA)!"
)
print("-" * 88)
iam_resource = boto3.resource("iam")
user, user_key, virtual_mfa_device = setup(iam_resource)
try:
sts_client = boto3.client(
"sts", aws_access_key_id=user_key.id, aws_secret_access_key=user_key.secret
)
try:
print("Listing buckets without specifying MFA credentials.")
list_buckets_with_session_token_with_mfa(None, None, sts_client)
except ClientError as error:
if error.response["Error"]["Code"] == "AccessDenied":
print("Got expected AccessDenied error.")
mfa_totp = input("Enter the code from your registered MFA device: ")
list_buckets_with_session_token_with_mfa(
virtual_mfa_device.serial_number, mfa_totp, sts_client
)
finally:
teardown(user, virtual_mfa_device)
print("Thanks for watching!")
```
+ 有关 API 的详细信息,请参阅适用[GetSessionToken](https://docs.aws.amazon.com/goto/boto3/sts-2011-06-15/GetSessionToken)于 *Python 的AWS SDK (Boto3) API 参考*。
------