node.js - 使用 IAM 授权者从 EC2/ElasticBeanstalk 获取 API Gateway 的临时凭证

问题描述

我需要从 Elastic Beanstalk 应用程序调用受 IAM 身份验证保护的 API Gateway 方法。但要创建签名请求，我需要访问/密钥和会话令牌。所以我尝试使用 MetadataService

console.log('Using metadata service');
const metadata = new AWS.MetadataService();
const metadataRequest = util
    .promisify(metadata.request)
    .bind(metadata);
const data = await metadataRequest(
    '/latest/meta-data/identity-credentials/ec2/security-credentials/ec2-instance'
);
sessionData = JSON.parse(data);
console.log(
    'typeof sessionData',
    typeof sessionData,
    sessionData.Token
);
sessionData = {
    ...sessionData,
    SessionToken: sessionData.Token
};

但是当我调用 API 时，我得到：

[9d3a82369277] gfx5000000 错误：请求失败，状态码 403 在 createError (/var/app/current/node_modules/aws-api-gateway-client/node_modules/axios/lib/core/createError.js:16:15) 在结算(/var/app/current/node_modules/aws-api-gateway-client/node_modules/axios/lib/core/settle.js:18:12) 在 IncomingMessage.handleStreamEnd (/var/app/current/node_modules/aws- api-gateway-client/node_modules/axios/lib/adapters/http.js:202:11) 在 IncomingMessage.emit (events.js:203:15) 在 IncomingMessage.EventEmitter.emit (domain.js:448:20)在 endReadableNT (_stream_readable.js:1129:12) 在 /var/app/current/node_modules/async-listener/glue.js:188:31 在 process._tickCallback (internal/process/next_tick.js:63:19)

我也尝试过使用getSessionToken，但意识到我不能这样做，因为我正在使用一个角色。

然后我尝试了假设角色，

console.log('Assuming role');
sessionData = await sts
    .assumeRole({
        RoleArn:
            'arn:aws:iam::906981349885:role/genflix-beanstalk-ec2-role',
        RoleSessionName: 'genflix-eb'
    })
    .promise();
console.log(sessionData);
sessionData = sessionData.Credentials;

我承担与当前 EC2 相同的角色，但得到：

AccessDenied: Access denied
at Request.extractError (/var/app/current/node_modules/aws-sdk/lib/protocol/query.js:50:29)
at Request.callListeners (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
at Request.emit (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/app/current/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/app/current/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/app/current/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/app/current/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/app/current/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/app/current/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at Request.emit (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
at Request.emit (/var/app/current/node_modules/aws-sdk/lib/request.js:683:14)
at Request.transition (/var/app/current/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/app/current/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/app/current/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/app/current/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/app/current/node_modules/aws-sdk/lib/request.js:685:12)
at Request.callListeners (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:116:18)
at callNextListener (/var/app/current/node_modules/aws-sdk/lib/sequential_executor.js:96:12)
at IncomingMessage.onEnd (/var/app/current/node_modules/aws-sdk/lib/event_listeners.js:307:13)
at IncomingMessage.emit (events.js:203:15)
at IncomingMessage.EventEmitter.emit (domain.js:448:20)
at endReadableNT (_stream_readable.js:1129:12)
at /var/app/current/node_modules/async-listener/glue.js:188:31
at process._tickCallback (internal/process/next_tick.js:63:19)

我应该使用什么？

标签： node.jsamazon-web-servicesaws-sdkamazon-iamapi-gateway