概要
- AWS CLIからのAssmeRoleの設定でハマったのでメモ
- 参考記事は下にまとめた。これらでやってもだめだった。
- role_session_nameを追加すると成功するケースだった
- 親アカウントから子アカウントへ、クロスアカウントでスイッチロールする環境
詳細
- 公式や記事によくある設定で試したがうまく行かなかった
$ aws s3 ls s3://test-public-bucket --profile dev-project
Enter MFA code for arn:aws:iam::987*********:mfa/master-account-my-user:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123*********:user/master-account-my-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123*********:role/fullaccess_dev-project
~/.aws/credentials
[default]
aws_access_key_id = AKIA****************
aws_secret_access_key = XYZ*************************************
[master-account]
aws_access_key_id = AKIA****************
aws_secret_access_key = ZXY*************************************
- role_session_nameを追加してみる
~/.aws/config
[profile master-account]
region = ap-northeast-1
output = json
source_profile = master-account
mfa_serial = arn:aws:iam::987*********:mfa/master-account-my-user
role_arn = arn:aws:iam::987*********:role/fullaccess_admin_master-account
role_session_name = master-account-my-user
[profile dev-project]
region = ap-northeast-1
output = json
source_profile = master-account
role_arn = arn:aws:iam::123*********:role/fullaccess_admin_dev-project
mfa_serial = arn:aws:iam::987*********:mfa/master-account-my-user
role_session_name = master-account-my-user
[default]
region = ap-northeast-1
output = json
- うまくいった
$ aws s3 ls --profile=dev-project
Enter MFA code for arn:aws:iam::987*********:mfa/master-account-my-user:
2022-03-01 17:47:34 prd-public-bucket
2022-03-17 19:31:52 dev-public-bucket
2022-03-18 19:57:47 stg-public-bucket