无权执行：资源上的 sts:TagSession：***

Question

我正在尝试运行 GitHub 操作以在 AWS 上的暂存服务器上进行数据库迁移。

name: db migration for stg.

on:
  push:
    branches:
      - staging
    paths:
      - api/db/migrate/**

jobs:
  migration:
    name: DB Migration
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v2
    - name: Configure AWS credentials
    uses: aws-actions/configure-aws-credentials@v1
    with:
      aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY_ID }}
      aws-secret-access-key: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
      role-to-assume: ${{ secrets.AWS_ASSUME_ROLE_ARN_STG }}
      role-duration-seconds: 1200
      aws-region: ap-northeast-1
     - uses: ruby/setup-ruby@v1
     with:
      ruby-version: '2.7.2'
     - name: ssh configure
       env:
         SSH_SECRET_KEY: ${{ secrets.SSH_SECRET_KEY }}
       run: |
         mkdir -p ~/.ssh && touch ~/.ssh/config
         echo 'host i-* mi-*' >> ~/.ssh/config
         echo '  ProxyCommand sh -c "aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters 'portNumber=%p'"' >> ~/.ssh/config
         echo $SSH_SECRET_KEY | base64 -d > ~/.ssh/id_rsa2
         chmod 0600 ~/.ssh/id_rsa2
      - name: db migration
        env:
          RAILS_ENV: <env>
          RAILS_MASTER_KEY: <key>
          RDS_HOSTNAME: 127.0.0.1
          RDS_DB_NAME: <db_name>
          RDS_USERNAME: <username>
          RDS_PASSWORD: <password>
          RDS_PORT: 9999
          STEP_SERVER_ID: <id>
          DB_HOST: <host>
          working-directory: ./api
          run: |
            ssh -f -N -L $RDS_PORT:$DB_HOST:3306 -i ~/.ssh/id_rsa2 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null ssm-user@$STEP_SERVER_ID
            sudo apt-get -yqq install libpq-dev
            gem install bundler
            bundle install --jobs 4 --retry 3
            bundle exec rails db:migrate

运行此操作时出现此错误的原因可能是什么？尝试了许多步骤来缩小问题的原因，无论是由assumable_role 还是秘密值错误或信任关系等引起的。能否提出可能导致此问题的原因？

Run aws-actions/configure-aws-credentials@v1
 with:
  aws-access-key-id: ***
  aws-secret-access-key: ***
  role-to-assume: ***
  role-duration-seconds: 1200
  aws-region: ap-northeast-1

Error: User: arn:aws:iam::***:user/github_user is not authorized to perform: sts:TagSession on resource: ***

github_user的政策总结

{
  "Version": "2012-10-17",
  "Statement": [
     {
        "Effect": "Allow",
        "Action": "sts:*",
        "Resource": "*"
     }
   ] 
}

Answer 1

我想通了。
答案在文档中非常巧妙，但是您必须授予用户 sts:TagSession 的权限，然后将相同的权限添加到您所承担的角色的权限策略中。

IAM 用户政策

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ],
            "Resource": [
                "arn:aws:iam::11111111111:role/RoleToAssume",
   
            ]
        }
    ]
}

对正在担任的角色的信任关系

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::00000000000:user/UserFromAbove"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession"
      ]
    }
  ]
}

Answer 2

添加到 Chris 显然有助于解决这个问题：

• 当您使用OIDC 创建角色时。它有一个trust relationship。这意味着必须将一些 Github Actions 添加到它作为 principle 并且它将假定该角色以及该角色具有的任何权限将应用于联合 OIDC 身份 Federated": "arn:aws:iam::636521895949:oidc-provider/token.actions.githubusercontent.com" 在这种情况下 - Github Actions。

• 此外，用户必须在那里使用AWS STS 提供短期令牌，因此 GitHub 操作可以承担该角色。所以，Principal": {"AWS": "arn:aws:iam::636527382793:user/<UserName>" 应该有 "Action": "sts:AssumeRole"。

• 这意味着 角色的信任关系 可能如下所示，因为不允许将操作放入列表中 Action": ["sts:AssumeRole", "sts:TagSession"]： 让我们称这个角色为s3RoleForGitHubActions

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::6363891738271:oidc-provider/token.actions.githubusercontent.com"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "token.actions.githubusercontent.com:aud": "sts.amazonaws.com"
                },
                "StringLike": {
                    "token.actions.githubusercontent.com:sub": "repo:github.com/GitHubProfile/GithubRepo/*"
                }
            }
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "AWS: "arn:aws:iam::6365738978321:user/UserName"
            },
            "Action": "sts:AssumeRole"
        },
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::6365738978321:user/UserName"
            },
            "Action": "sts:TagSession"
        }
    ]
}

最后，我们需要为IAM User 提供一个策略，允许它自己承担我们创建的角色，所以IAM 用户策略：

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ],
            "Resource": [
                "arn:aws:iam::63738127982:role/s3RoleForGitHubActions"
            ]
        }
    ]
}