amazon-web-services - 无法使用 MFA 担任跨账户角色。aws cli 不提供任何输出
问题描述
我正在 2 个 AWS 账户之间设置跨账户访问。当不需要 MFA 时,我能够成功担任角色。但是,当我在信任策略中添加要求 MFA 的条件时,我的 aws cli 就会卡住。
理想情况下,当我运行以下命令时,aws cli 应该提示我输入 MFA 令牌,
aws s3 ls --profile mfa
当我使用 then 运行上述命令时,--debug
我得到以下输出
2019-10-01 20:18:22,646 - MainThread - awscli.clidriver - DEBUG - CLI version: aws-cli/1.16.249 Python/3.7.4 Windows/10 botocore/1.12.239
2019-10-01 20:18:22,646 - MainThread - awscli.clidriver - DEBUG - Arguments entered to CLI: ['s3', 'ls', '--profile', 'mfa', '--debug']
2019-10-01 20:18:22,646 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function add_scalar_parsers at 0x03BC6348>
2019-10-01 20:18:22,646 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function register_uri_param_handler at 0x037B7810>
2019-10-01 20:18:22,649 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function inject_assume_role_provider_cache at 0x037D4858>
2019-10-01 20:18:22,651 - MainThread - botocore.credentials - DEBUG - Skipping environment variable credential check because profile name was explicitly set.
2019-10-01 20:18:22,651 - MainThread - botocore.hooks - DEBUG - Event session-initialized: calling handler <function attach_history_handler at 0x03ABB228>
2019-10-01 20:18:22,654 - MainThread - botocore.hooks - DEBUG - Event building-command-table.s3: calling handler <function add_waiters at 0x03BD20C0>
2019-10-01 20:18:22,656 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.s3.anonymous: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,657 - MainThread - botocore.hooks - DEBUG - Event building-command-table.ls: calling handler <function add_waiters at 0x03BD20C0>
2019-10-01 20:18:22,660 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.paths: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,660 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.anonymous: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,660 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.page-size: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,660 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.human-readable: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,661 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x035EAF10>
2019-10-01 20:18:22,661 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.summarize: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,661 - MainThread - botocore.hooks - DEBUG - Event process-cli-arg.custom.ls: calling handler <awscli.argprocess.ParamShorthandParser object at 0x035EAF10>
2019-10-01 20:18:22,661 - MainThread - botocore.hooks - DEBUG - Event load-cli-arg.custom.ls.request-payer: calling handler <awscli.paramfile.URIArgumentHandler object at 0x03C50870>
2019-10-01 20:18:22,662 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role
2019-10-01 20:18:22,662 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: assume-role-with-web-identity
2019-10-01 20:18:22,662 - MainThread - botocore.credentials - DEBUG - Looking for credentials via: shared-credentials-file
2019-10-01 20:18:22,664 - MainThread - botocore.credentials - INFO - Found credentials in shared credentials file: ~/.aws/credentials
2019-10-01 20:18:22,665 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Users\Samrat\AppData\Roaming\Python\Python37\site-packages\botocore\data\endpoints.json
2019-10-01 20:18:22,668 - MainThread - botocore.hooks - DEBUG - Event choose-service-name: calling handler <function handle_service_name_alias at 0x03583618>
2019-10-01 20:18:22,675 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Users\Samrat\AppData\Roaming\Python\Python37\site-packages\botocore\data\s3\2006-03-01\service-2.json
2019-10-01 20:18:22,704 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_post at 0x0356D390>
2019-10-01 20:18:22,704 - MainThread - botocore.hooks - DEBUG - Event creating-client-class.s3: calling handler <function add_generate_presigned_url at 0x0356D270>
2019-10-01 20:18:22,705 - MainThread - botocore.args - DEBUG - The s3 config key is not a dictionary type, ignoring its value of: None
2019-10-01 20:18:22,711 - MainThread - botocore.endpoint - DEBUG - Setting s3 timeout as (60, 60)
2019-10-01 20:18:22,715 - MainThread - botocore.loaders - DEBUG - Loading JSON file: C:\Users\Samrat\AppData\Roaming\Python\Python37\site-packages\botocore\data\_retry.json
2019-10-01 20:18:22,716 - MainThread - botocore.client - DEBUG - Registering retry handlers for service: s3
2019-10-01 20:18:22,716 - MainThread - botocore.client - DEBUG - Defaulting to S3 virtual host style addressing with path style addressing fallback.
2019-10-01 20:18:22,716 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <function validate_bucket_name at 0x0358C3D8>
2019-10-01 20:18:22,716 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <bound method S3RegionRedirector.redirect_from_cache of <botocore.utils.S3RegionRedirector object at 0x03EB6710>>
2019-10-01 20:18:22,719 - MainThread - botocore.hooks - DEBUG - Event before-parameter-build.s3.ListBuckets: calling handler <function generate_idempotent_uuid at 0x0358C1E0>
2019-10-01 20:18:22,719 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListBuckets: calling handler <function add_expect_header at 0x0358C588>
2019-10-01 20:18:22,719 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListBuckets: calling handler <bound method S3RegionRedirector.set_request_url of <botocore.utils.S3RegionRedirector object at 0x03EB6710>>
2019-10-01 20:18:22,719 - MainThread - botocore.hooks - DEBUG - Event before-call.s3.ListBuckets: calling handler <function inject_api_version_header_if_needed at 0x0358CF18>
2019-10-01 20:18:22,719 - MainThread - botocore.endpoint - DEBUG - Making request for OperationModel(name=ListBuckets) with params: {'url_path': '/', 'query_string': '', 'method': 'GET', 'headers': {'User-Agent': 'aws-cli/1.16.249 Python/3.7.4 Windows/10 botocore/1.12.239'}, 'body': b'', 'url': 'https://s3.amazonaws.com/', 'context': {'client_region': 'us-east-1', 'client_config': <botocore.config.Config object at 0x03EB6410>, 'has_streaming_input': False, 'auth_type': None, 'signing': {'bucket': None}}}
2019-10-01 20:18:22,720 - MainThread - botocore.hooks - DEBUG - Event request-created.s3.ListBuckets: calling handler <bound method RequestSigner.handler of <botocore.signers.RequestSigner object at 0x03EB63F0>>
2019-10-01 20:18:22,720 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.ListBuckets: calling handler <bound method ClientCreator._default_s3_presign_to_sigv2 of <botocore.client.ClientCreator object at 0x0378E510>>
2019-10-01 20:18:22,720 - MainThread - botocore.hooks - DEBUG - Event choose-signer.s3.ListBuckets: calling handler <function set_operation_specific_signer at 0x0358C150>
2019-10-01 20:18:22,720 - MainThread - botocore.hooks - DEBUG - Event before-sign.s3.ListBuckets: calling handler <function fix_s3_host at 0x0348EBB8>
以下是我的~/.aws/credentials
和~/.aws/config
文件
# ~/.aws/credentials
[default]
aws_access_key_id = <ACCESS_KEY_ID>
aws_secret_access_key = <SECRET_ACCESS_KEY>
# ~/.aws/config
[default]
region = us-east-1
output = json
[profile mfa]
region = us-east-1
role_arn = arn:aws:iam::<Trusting-Account-ID>:role/RoleName
source_profile = default
mfa_serial = arn:aws:iam::<Trusted-Account-ID>:mfa/user
谁能告诉我我错过了什么。谢谢!
解决方案
我的理解是,在尝试列出存储桶时,不会提示您输入一次性密码 (OTP)。如果您使用的是 MFA 设备,则必须先通过 STS 服务创建一个临时会话令牌,然后使用该令牌进行 S3 调用。
例如:
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
将返回临时凭证:
{
"Credentials": {
"SecretAccessKey": "secret-access-key",
"SessionToken": "temporary-session-token",
"Expiration": "expiration-date-time",
"AccessKeyId": "access-key-id"
}
}
更新您的 aws CLI 配置以使用临时凭证:
[mfa]
aws_access_key_id = example-access-key-as-in-returned-output
aws_secret_access_key = example-secret-access-key-as-in-returned-output
aws_session_token = example-session-Token-as-in-returned-output
然后在与 S3 交互时使用该临时凭证:
aws s3 ls --profile mfa
资料来源: https ://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
推荐阅读
- git - 我可以恢复从 git 提交中省略时被覆盖的文件吗?
- flutter - 如何将 ReorderableListView 的大小调整为所有孩子的高度
- vue.js - Vue 3 外部组件/插件在运行时加载
- c++ - 尝试替换长度不等的子字符串时出现问题
- ios - react-native-image-crop-picker [!] [Xcodeproj] 生成重复的 UUID:
- python - 无法计算列表内元组内的项目
- sql - 从电子邮件组中删除订阅者
- flutter - 如何在键盘出现后控制 AlertDialog 调整大小
- ios - 升级firebase核心后颤动Ios构建失败
- windows - Windows 中的 Meteor 服务器日志在哪里?