Я предвосхищу это, сказав, что политика доверия показывает в пользовательском интерфейсе, что роль / workdocs_api_pull, перечисленная в доверенных объектах, может принять этот раздел роли для / WorkDocs_API_Developer. Также следует отметить, что это кросс-счета.
здесь ошибка:
Traceback (most recent call last):
File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 76, in lambda_handler
get_folder_contents(aws_region)
File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 56, in get_folder_contents
role = assume_role(wd_role_arn, aws_region)
File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 48, in assume_role
RoleSessionName = 'workdocs_session'
File "/var/runtime/botocore/client.py", line 272, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 576, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::<account_num>:assumed-role/LambdaFullAccessRole/workdocs_api_pull is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account_num>:role/WorkDocs_API_Developer
Вот код:
import boto3
aws_region ='us-east-1'
wd_role_arn = 'arn:aws:iam::<account_num>:role/WorkDocs_API_Developer'
def temp_keys():
session = boto3.Session()
credentials = session.get_credentials()
keys = credentials.get_frozen_credentials()
return keys
def assume_role(wd_role_arn, aws_region):
creds = temp_keys()
boto_sts = boto3.client('sts',
aws_access_key_id=creds.access_key,
aws_secret_access_key=creds.secret_key,
aws_session_token=creds.token,
region_name=aws_region
)
role_credentials = boto_sts.assume_role(RoleArn = wd_role_arn,
RoleSessionName = 'workdocs_session'
)
return role_credentials.credentials
def lambda_handler(event, context) :
def get_folder_contents(aws_region):
role = assume_role(wd_role_arn, aws_region)
print(role.access_key,'\n',role.secret_key,'\n',role.token)
folder_id = '<folder_id>'
client = boto3.client('workdocs',
aws_access_key_id=role.access_key,
aws_secret_access_key=role.secret_key,
aws_session_token=role.token,
region_name=aws_region
)
folder = client.get_folder(FolderId = folder_id)
print(folder)
return folder
get_folder_contents(aws_region)
Как добраться до нижней части почему это не работает?