AWS stscreds SDK用于刷新跨账户扮演角色的凭证。

huangapple
go评论86阅读模式
英文:

AWS stscreds SDK to refresh credentials for cross account assume roles

问题

我已经设置了跨账户读取 Kinesis 流,但是当 Kinesis 客户端读取记录时,我遇到了安全令牌过期的错误。我使用 sts assume role 来假定 accountA 中的 roleA,然后使用 roleA 的凭证来假定 roleB,最后返回 Kinesis 客户端,因此它没有应用刷新功能,并且客户端默认在 1 小时后过期。我查阅了 stscreds AssumeRoleProvider 的文档,它说它会刷新凭证。但是我不知道如何刷新假定的 roleA 的第一个凭证,然后刷新假定的 roleB 的第二个凭证。或者最好调用重新初始化 Kinesis 客户端的方法吗?

以下是代码块:

    cfg, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithRegion("us-west-2"),
	)

	if err != nil {
		return nil, err
	}

	stsclient := sts.NewFromConfig(cfg)

	assumingcnf, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithRegion("us-west-2"),
		config.WithCredentialsProvider(aws.NewCredentialsCache(
			stscreds.NewAssumeRoleProvider(
				stsclient,
				roleToAssumeArn1,
			)),
		),
	)
	if err != nil {
		return nil, err
	}

	stsclient = sts.NewFromConfig(assumingcnf)

	cnf, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithRegion("us-west-2"),
		config.WithCredentialsProvider(aws.NewCredentialsCache(
			stscreds.NewAssumeRoleProvider(
				stsclient,
				roleToAssumeArn2,
			)),
		),
	)
	if err != nil {
		return nil, err
	}
    kClient := kinesis.NewFromConfig(cnf)
    return kClient
英文:

I have setup cross account reading kinesis stream, but i get security token expired error when kinesis client is reading records. I used sts assume role to assume roleA in accountA, then use roleA credentials to assume roleB, lastly return the kinesis client, so there is no refresh feature applied to it and the client will expire in 1 hr by default. I looked up the stscreds AssumeRoleProvider and the doc says it will refresh the credentials. But i have no idea on how to refresh the first credential for assumed roleA then refresh the second credential for assumed roleB. Or is it better to call the method to reinitialize the kinesis client?

Here is the code block.

    cfg, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithRegion("us-west-2"),
	)

	if err != nil {
		return nil, err
	}

	stsclient := sts.NewFromConfig(cfg)

	assumingcnf, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithRegion("us-west-2"),
		config.WithCredentialsProvider(aws.NewCredentialsCache(
			stscreds.NewAssumeRoleProvider(
				stsclient,
				roleToAssumeArn1,
			)),
		),
	)
	if err != nil {
		return nil, err
	}

	stsclient = sts.NewFromConfig(assumingcnf)

	cnf, err := config.LoadDefaultConfig(
		context.TODO(),
		config.WithRegion("us-west-2"),
		config.WithCredentialsProvider(aws.NewCredentialsCache(
			stscreds.NewAssumeRoleProvider(
				stsclient,
				roleToAssumeArn2,
			)),
		),
	)
	if err != nil {
		return nil, err
	}
    kClient := kinesis.NewFromConfig(cnf)
    return kClient

答案1

得分: 0

你应该可以使用AWS提供的提供程序来完成这个任务。我假设你正在使用aws-sdk-go-v2。

这将使得生成的CredentialsProvider在凭证过期之前返回缓存的凭证;然后它将调用provider2provider2使用sts2来获取roleB的新凭证,而sts2始终首先调用provider1来获取roleA的新凭证。

func createProvider(cfg aws.Config) aws.CredentialsProvider {
    sts1 := sts.NewFromConfig(cfg)
    provider1 := stscreds.NewAssumeRoleProvider(sts1, "roleA")
    sts2 := sts.NewFromConfig(cfg, func (o *sts.Options) { o.Credentials = provider1 })
    provider2 := stscreds.NewAssumeRoleProvider(sts2, "roleB")
    return aws.NewCredentialsCache(provider2)
}
英文:

You should be able to do this with the providers provided by AWS. I'm assuming you're using aws-sdk-go-v2.

This would make the resulting CredentialsProvider return the cached credentials until they expire; then it will call provider2, which uses sts2 to get new credentials for roleB, and sts2 will always first call provider1 first to get new credentials for roleA.

func createProvider(cfg aws.Config) aws.CredentialsProvider {
    sts1 := sts.NewFromConfig(cfg)
    provider1 := stscreds.NewAssumeRoleProvider(sts1, "roleA")
    sts2 := sts.NewFromConfig(cfg, func (o *sts.Options) { o.Credentials = provider1 })
    provider2 := stscreds.NewAssumeRoleProvider(sts2, "roleB")
    return aws.NewCredentialsCache(provider2)
}

huangapple
  • 本文由 发表于 2022年10月5日 07:35:22
  • 转载请务必保留本文链接:https://go.coder-hub.com/73954581.html
  • amazon-web-services
  • go
  • sts
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定