【以下的问题经过翻译处理】 我正在尝试使用 OpenID Connect 身份验证。我创建了我的身份提供者并且能够使用 aws sts assume-role-with-web-identity
收到认证,但是当我尝试使用返回的令牌发出请求时,我只收到此错误:An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
设置
Identity Provider
###Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::{account id}:oidc-provider/gitlab.com"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession"
],
"Condition": {
"StringLike": {
"gitlab.com:sub": "project_path:{redacted}/*:ref_type:branch:ref:*"
}
}
}
]
}
Role Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": [
"*"
]
},
{...excluded}
]
}
步骤
aws sts assume-role-with-web-identity \
--role-arn arn:aws:iam::{account id}:role/app-deploy \
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" \
--web-identity-token $CI_JOB_JWT_V2 \
--duration-seconds 3600 >> secrets
export AWS_ACCESS_KEY_ID="$(cat secrets | jq '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(cat secrets | jq '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(cat secrets | jq '.Credentials.SessionToken')"
export AWS_SECURITY_TOKEN="$AWS_SESSION_TOKEN"
export AWS_DEFAULT_REGION="us-east-2"
然后在运行aws sts get-caller-identity
时出错。