https://signin.aws.amazon.com/signin?redirect_uri=https%3A%2F%2Fconsole.aws.amazon.com%2Fconsole%2Fhome%3FhashArgs%3D%2523%26isauthcode%3Dtrue%26state%3DhashArgsFromTB_eu-north-1_f2d9c316b93c0026&client_id=arn%3Aaws%3Asignin%3A%3A%3Aconsole%2Fcanvas&forceMobileApp=0&code_challenge=N4VDaEVnh2s2dWnL79Hzyqja2aWFGDoE1FbHXWk6G1M&code_challenge_method=SHA-256
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws-cn:iam::<被授权的账号ID>:user/<用户名>"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "<外部ID>"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "arn:aws-cn:s3:::bucket-test-0529/*" //只针对特定bucket授权
"Resource": "arn:aws-cn:s3:::*" //所有bucket授权
}
]
}
2.5 保存权限
2.6 选中权限
回到创建角色界面,点击刷新后,出现我们上一步创建的权限
2.7 填写角色名,点击创建角色,完成授权
package main
import (
"fmt"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awserr"
"github.com/aws/aws-sdk-go/aws/credentials"
"github.com/aws/aws-sdk-go/aws/session"
"github.com/aws/aws-sdk-go/service/sts"
)
// Uploads a file to S3 given a bucket and object key. Also takes a duration
// value to terminate the update if it doesn't complete within that time.
//
// The AWS Region needs to be provided in the AWS shared config or on the
// environment variable as `AWS_REGION`. Credentials also must be provided
// Will default to shared config file, but can load from environment if provided.
//
// Usage:
//
// # Upload myfile.txt to myBucket/myKey. Must complete within 10 minutes or will fail
// go run withContext.go -b mybucket -k myKey -d 10m < myfile.txt
func main() {
region := "cn-northwest-1"
endpoint := ""
ak := "**" //被授权账号
sk := "**" //被授权账号
externalId := "dfsafsf"
cfgs := &aws.Config{
Region: ®ion,
Endpoint: &endpoint,
Credentials: credentials.NewStaticCredentials(ak, sk, ""),
}
sess := session.Must(session.NewSession(cfgs))
svc := sts.New(sess)
input := &sts.AssumeRoleInput{
ExternalId: aws.String(externalId),
RoleArn: aws.String("arn:aws-cn:iam::<授权账号>:role/<角色名字>"),
RoleSessionName: aws.String("new_session"),
}
result, err := svc.AssumeRole(input)
if err != nil {
if aerr, ok := err.(awserr.Error); ok {
switch aerr.Code() {
case sts.ErrCodeMalformedPolicyDocumentException:
fmt.Println(sts.ErrCodeMalformedPolicyDocumentException, aerr.Error())
case sts.ErrCodePackedPolicyTooLargeException:
fmt.Println(sts.ErrCodePackedPolicyTooLargeException, aerr.Error())
case sts.ErrCodeRegionDisabledException:
fmt.Println(sts.ErrCodeRegionDisabledException, aerr.Error())
case sts.ErrCodeExpiredTokenException:
fmt.Println(sts.ErrCodeExpiredTokenException, aerr.Error())
default:
fmt.Printf("aerr other %s err %s\n", aerr.Code(), err.Error())
}
} else {
// Print the error, cast err to awserr.Error to get the Code and
// Message from an error.
fmt.Printf("other err %s\n", err.Error())
}
return
}
fmt.Println(result)
}