У нас есть настройка AWS с несколькими учетными записями. Каждая учетная запись отвечает за разные направления разработки (DEV, QA, Production).
Мы также используем ADFS для подключения для аутентификации для этих разных дорожек.
Я сделаю следующий вызов aws cli для настройки учетных данных.
aws-adfs login --profile=master --adfs-host=adfs.whatever.com --no-ssl-verification
Полученный файл учетных данных будет выглядеть следующим образом
[master]
aws_access_key_id = key_id
aws_secret_access_key = access_key
aws_session_token = session_token
aws_security_token = security_token
Остальные полосы идентифицируются как профили в файле конфигурации.
[default]
[profile master]
region = us-west-2
output = text
adfs_config.ssl_verification = False
adfs_config.role_arn = arn:aws:iam::XXXXXXXXX:role/AD_DeveloperRole
adfs_config.adfs_host = adfs.whatever.com
adfs_config.adfs_user = [email protected]
adfs_config.session_duration = 3600
[profile development]
role_arn = arn:aws:iam::YYYYYYY:role/DeveloperRole
source_profile = master
region = us-west-2
output = json
adfs_config.ssl_verification = False
adfs_config.role_arn = arn:aws:iam::XXXXXXXXX:role/AD_DeveloperRole
adfs_config.adfs_host = adfs.whatever.com
adfs_config.adfs_user = [email protected]
adfs_config.session_duration = 3600
Используя aws cli, я могу получить доступ к этим другим дорожкам по их профилю. Вот пример
aws --profile=development ssm get-parameters-by-path --path /SOME_PARAMETER
Однако я хочу сделать это в коде. Вот как я воспроизвел это с помощью AWS-JAVA-SDK.
String region = new AwsProfileRegionProvider("profile development").getRegion();
CsmConfigurationProvider csmConfig = new ProfileCsmConfigurationProvider("profile development");
AWSCredentialsProvider credentialsProvider = new ProfileCredentialsProvider("master");
AWSSimpleSystemsManagement ssm = AWSSimpleSystemsManagementClientBuilder.standard()
.withCredentials(credentialsProvider)
.withRegion(region)
.withClientSideMonitoringConfigurationProvider(csmConfig)
.build();
GetParametersByPathRequest request = new GetParametersByPathRequest();
request.setPath("/SOME_PARAMETER");
GetParametersByPathResult result = ssm.getParametersByPath(request);
Но я получаю сообщение об ошибке
com.amazonaws.services.simplesystemsmanagement.model.AWSSimpleSystemsManagementException: User: arn:aws:sts::XXXXXXXXX:assumed-role/AD_DeveloperRole/[email protected] is not authorized to perform: ssm:GetParametersByPath on resource: arn:aws:ssm:us-west-2:XXXXXXXXX:parameter/SOME_PARAMETER (Service: AWSSimpleSystemsManagement; Status Code: 400; Error Code: AccessDeniedException; Request ID: ***********)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1660) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1324) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1074) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:745) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:719) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:701) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:669) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:651) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:515) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:8126) ~[aws-java-sdk-ssm-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8095) ~[aws-java-sdk-ssm-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8084) ~[aws-java-sdk-ssm-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParametersByPath(AWSSimpleSystemsManagementClient.java:5021) ~[aws-java-sdk-ssm-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParametersByPath(AWSSimpleSystemsManagementClient.java:4992) ~[aws-java-sdk-ssm-1.11.415.jar:na]
Вы заметите, что он пытается найти ресурс: arn:aws:ssm:us-west-2:XXXXXXXXX:parameter/SOME_PARAMETER вместо ресурса: arn:aws:ssm: us-west-2:YYYYYYY:parameter/SOME_PARAMETER
Если я обновлю ProfileCredentialsProvider с профилем «разработка» вместо «мастер», я получаю сообщение об ошибке
java.lang.IllegalArgumentException: No AWS profile named 'development'
at com.amazonaws.auth.profile.ProfilesConfigFile.getCredentials(ProfilesConfigFile.java:158) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.auth.profile.ProfileCredentialsProvider.getCredentials(ProfileCredentialsProvider.java:161) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1186) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:776) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:726) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:719) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:701) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:669) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:651) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:515) ~[aws-java-sdk-core-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.doInvoke(AWSSimpleSystemsManagementClient.java:8126) ~[aws-java-sdk-ssm-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8095) ~[aws-java-sdk-ssm-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.invoke(AWSSimpleSystemsManagementClient.java:8084) ~[aws-java-sdk-ssm-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.executeGetParametersByPath(AWSSimpleSystemsManagementClient.java:5021) ~[aws-java-sdk-ssm-1.11.415.jar:na]
at com.amazonaws.services.simplesystemsmanagement.AWSSimpleSystemsManagementClient.getParametersByPath(AWSSimpleSystemsManagementClient.java:4992) ~[aws-java-sdk-ssm-1.11.415.jar:na]
Что мне нужно изменить в коде Java, чтобы он обращался к параметрам, хранящимся в YYYYYYY вместо XXXXXXXXX?
