assume-role-with-web-identity获取的凭证使用就报错
0
【以下的问题经过翻译处理】 我正在尝试使用 OpenID Connect 身份验证。我创建了我的身份提供者并且能够使用 aws sts assume-role-with-web-identity 收到认证,但是当我尝试使用返回的令牌发出请求时,我只收到此错误:An error occurred (InvalidClientTokenId) when calling the GetCallerIdentity operation: The security token included in the request is invalid.
设置
Identity Provider
- name: gitlab.com
- audience: https://gitlab.com
###Trust Relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::{account id}:oidc-provider/gitlab.com"
},
"Action": [
"sts:AssumeRoleWithWebIdentity",
"sts:TagSession"
],
"Condition": {
"StringLike": {
"gitlab.com:sub": "project_path:{redacted}/*:ref_type:branch:ref:*"
}
}
}
]
}
Role Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": [
"*"
]
},
{...excluded}
]
}
步骤
aws sts assume-role-with-web-identity \
--role-arn arn:aws:iam::{account id}:role/app-deploy \
--role-session-name "GitLabRunner-${CI_PROJECT_ID}-${CI_PIPELINE_ID}" \
--web-identity-token $CI_JOB_JWT_V2 \
--duration-seconds 3600 >> secrets
export AWS_ACCESS_KEY_ID="$(cat secrets | jq '.Credentials.AccessKeyId')"
export AWS_SECRET_ACCESS_KEY="$(cat secrets | jq '.Credentials.SecretAccessKey')"
export AWS_SESSION_TOKEN="$(cat secrets | jq '.Credentials.SessionToken')"
export AWS_SECURITY_TOKEN="$AWS_SESSION_TOKEN"
export AWS_DEFAULT_REGION="us-east-2"
然后在运行aws sts get-caller-identity时出错。
1 回答
- 最新
- 投票最多
- 评论最多
0
【以下的回答经过翻译处理】 你好,
问题是 jq config,您需要像这样添加 --raw-output 标识:
export AWS_ACCESS_KEY_ID="$(cat secrets | jq '.Credentials.AccessKeyId' --raw-output)"
export AWS_SECRET_ACCESS_KEY="$(cat secrets | jq '.Credentials.SecretAccessKey' --raw-output)"
export AWS_SESSION_TOKEN="$(cat secrets | jq '.Credentials.SessionToken' --raw-output)"
否则,环境变量会被包裹在 "" 中,这是行不通的。
希望能帮助到你!
相关内容
AWS 官方已更新 1 年前- AWS 官方已更新 1 年前