AWS S3 使用角色 ARN 下载文件

huangapple go评论115阅读模式
英文:

AWS S3 download file using role ARN

问题

我有一个S3对象,我想使用JAVA AWS SDK查询/下载它,并且我将使用AWS Role ARN而不是使用凭据。

是否可以使用AWSCredentialsProvider来实现这个目标?

期望通过AWSCredentialsProvider来实现这个目标。

在库中找不到合适的接口。

英文:

I have a S3 Object which i would like to query/download via JAVA AWS SDK
and for this i would be using AWS Role ARN. instead of using credentials

Is there a way we can do this using AWSCredentialsProvider

Expecting some means to do this via AWSCredentialsProvider

Could not find the right interface from the Library

答案1

得分: 0

不能仅通过指定 IAM 角色的 ARN 来访问 Amazon S3。(ARN 被视为公共信息,不包含任何权限。)

要“使用” IAM 角色,首先需要使用与 IAM 用户相关联的永久凭证

然后,使用这些凭证,您需要调用 AssumeRole(),传递您希望使用(或“假定”)的 IAM 角色的 ARN。IAM 用户必须有权限调用 IAM 角色上的 AssumeRole

然后,您将收到一组临时凭证,可用于访问 Amazon S3。

然而,如果您的代码正在运行在 Amazon EC2 实例上,并且 IAM 角色已经分配给了 EC2 实例,那么您的代码可以直接调用 S3。凭证将由EC2 实例元数据服务提供。

英文:

It is not possible to access Amazon S3 by merely specifying the ARN of an IAM Role. (An ARN is considered public knowledge and does not convey any permissions.)

To 'use' an IAM Role, you first need to use permanent credentials such as those associated with an IAM User.

Then, using those credentials, you need to call AssumeRole(), passing the ARN of the IAM Role you wish to use (or 'assume'). The IAM User must have permission to call AssumeRole on the IAM Role.

Then, you will receive back a set of temporary credentials that you can use to access Amazon S3.

However, if your code is running on an Amazon EC2 instance and the IAM Role have already been assigned to the EC2 instance, then your code can simply call S3 directly. The credentials will be provided by the EC2 instance metadata service.

答案2

得分: 0

为了完成您所寻找的操作,您需要使用StsClient服务客户端并调用assumeRole()方法。这将为您提供临时凭证,您可以使用它们执行包括S3操作在内的AWS服务操作。

要了解如何执行此操作,我建议查看AWS代码库中的示例,其中有一个完整的端到端示例,执行以下任务:

  1. 创建一个没有权限的用户。
  2. 创建授予Amazon S3权限的角色和策略。
  3. 创建角色。
  4. 授予用户权限。
  5. 通过假定角色来获取临时凭证。使用临时凭证创建Amazon S3服务客户端对象。
  6. 删除资源。

请参阅 —

使用AWS SDK创建IAM用户并假定角色

英文:

To do what you are looking for, you need to use the the StsClient service client and invoke the assumeRole() method. This gives you temp creds that you can use to perform an AWS Service operation that includes S3 operatons.

To learn how to do this, I recommend looking at the example in the AWS Code Library where there is a full end to end example that performs these tasks:

  1. Creates a user that has no permissions.
  2. Creates a role and policy that grants Amazon S3 permissions.
  3. Creates a role.
  4. Grants the user permissions.
  5. Gets temporary credentials by assuming the role. Creates an Amazon S3 Service client object with the temporary credentials.
  6. Deletes the resources.

See --

Create an IAM user and assume a role with AWS STS using an AWS SDK

huangapple
  • 本文由 发表于 2023年7月31日 20:22:55
  • 转载请务必保留本文链接:https://go.coder-hub.com/76803587.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定