How to apply IAM ROLE to EC2 and get temporary AccessKey and SecretAccessKey
Access keys and secret access keys can be created by an IAM user with "Generate Access Keys". However, this method requires the access key to be replaced in a certain period of time, which is quite troublesome. So I assigned IAM ROLE to EC2 and the access key was planned to be Osaraba, but when IAM ROLE was applied, I could not get the temporary AccessKey, SecretAccessKey that I wrote before. I used to write like this
AWSCredentials credentials = new BasicAWSCredentials("access key", "シークレットaccess key");
AWSSecurityTokenServiceClient sts = new AWSSecurityTokenServiceClient(credentials);
GetSessionTokenRequest req = new GetSessionTokenRequest();
GetSessionTokenResult res = sts.getSessionToken(req);
Credentials tmpCredentials = res.getCredentials();
String accessKeyId = tmpCredentials.getAccessKeyId();
String secretAccessKeyId = tmpCredentials.getSecretAccessKey();
I checked it briefly, but the assume Role is good. Originally it seems to be messing with resources between different accounts, I think this is fine.
AWSSecurityTokenService sts = new AWSSecurityTokenServiceClient();
AssumeRoleResult assumeRoleResult = sts.assumeRole(new AssumeRoleRequest()
.withRoleArn(ROLE_ARN)
.withRoleSessionName(ROLE_SESSION_NAME));
Credentials credentials = assumeRoleResult.getCredentials();
System.out.println("AccessKeyId=" + credentials.getAccessKeyId() + " SecretAccessKey=" + credentials.getSecretAccessKey()+ " SessionToken=" + credentials.getSessionToken());
What should I specify for ROLE_ARN and ROLE_SESSION_NAME? ROLE_ARN is the ARN of the role
ROLE_SESSION_NAME is a nice string ex. Like "role_session"
For the last roll you want to use
{
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::xxxxxxxxxxxx:role/full_ec2_lambda"
]
}
It is OK if you add the policy of
You can now get temporary credentials.
Recommended Posts