AWS Identity and Access Management
用户指南
AWS 文档中描述的 AWS 服务或功能可能因区域而异。要查看适用于中国区域的差异,请参阅 Amazon AWS 入门

示例代码:使用多重验证请求凭证

以下示例说明如何调用 GetSessionTokenAssumeRole 操作并传递 MFA 身份验证参数。无需任何权限即可调用 GetSessionToken,但您必须拥有允许您调用 AssumeRole 的策略。随后,返回的凭证将用于列出账户中的所有 S3 存储桶。

使用 MFA 身份验证调用 GetSessionToken (Python 和 C#)

以下示例 (使用 AWS SDK for Python (Boto)适用于 .NET 的 AWS 开发工具包 编写) 演示如何调用 GetSessionToken 和传递 MFA 身份验证信息。然后使用 GetSessionToken 操作返回的临时安全凭证来列出账户中的所有 S3 存储桶。

附加到运行此代码的用户(或用户所在的组)的策略提供了返回的临时凭证的权限。对于此示例代码,该策略必须向用户授予请求 Amazon S3 ListBuckets 操作的权限。

使用 Python

import boto from boto.s3.connection import S3Connection from boto.sts import STSConnection # Prompt for MFA time-based one-time password (TOTP) mfa_TOTP = raw_input("Enter the MFA code: ") # The calls to AWS STS GetSessionToken must be signed with the access key ID and secret # access key of an IAM user. The credentials can be in environment variables or in # a configuration file and will be discovered automatically # by the STSConnection() function. For more information, see the Python SDK # documentation: http://boto.readthedocs.org/en/latest/boto_config_tut.html sts_connection = STSConnection() # Use the appropriate device ID (serial number for hardware device or ARN for virtual device). # Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values. tempCredentials = sts_connection.get_session_token( duration=3600, mfa_serial_number="&region-arn;iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:mfa/MFA-DEVICE-ID", mfa_token=mfa_TOTP ) # Use the temporary credentials to list the contents of an S3 bucket s3_connection = S3Connection( aws_access_key_id=tempCredentials.access_key, aws_secret_access_key=tempCredentials.secret_key, security_token=tempCredentials.session_token ) # Replace BUCKET-NAME with an appropriate value. bucket = s3_connection.get_bucket(bucket_name="BUCKET-NAME") objectlist = bucket.list() for obj in objectlist: print obj.name

使用 C#

Console.Write("Enter MFA code: "); string mfaTOTP = Console.ReadLine(); // Get string from user /* The calls to AWS STS GetSessionToken must be signed using the access key ID and secret access key of an IAM user. The credentials can be in environment variables or in a configuration file and will be discovered automatically by the AmazonSecurityTokenServiceClient constructor. For more information, see http://docs.amazonaws.cn/AWSSdkDocsNET/latest/DeveloperGuide/net-dg-config-creds.html */ AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient(); GetSessionTokenRequest getSessionTokenRequest = new GetSessionTokenRequest(); getSessionTokenRequest.DurationSeconds = 3600; // Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS and MFA-DEVICE-ID with appropriate values getSessionTokenRequest.SerialNumber = "arn:aws-cn:iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:mfa/MFA-DEVICE-ID"; getSessionTokenRequest.TokenCode = mfaTOTP; GetSessionTokenResponse getSessionTokenResponse = stsClient.GetSessionToken(getSessionTokenRequest); // Extract temporary credentials from result of GetSessionToken call GetSessionTokenResult getSessionTokenResult = getSessionTokenResponse.GetSessionTokenResult; string tempAccessKeyId = getSessionTokenResult.Credentials.AccessKeyId; string tempSessionToken = getSessionTokenResult.Credentials.SessionToken; string tempSecretAccessKey = getSessionTokenResult.Credentials.SecretAccessKey; SessionAWSCredentials tempCredentials = new SessionAWSCredentials(tempAccessKeyId, tempSecretAccessKey, tempSessionToken); // Use the temporary credentials to list the contents of an S3 bucket // Replace BUCKET-NAME with an appropriate value ListObjectsRequest S3ListObjectsRequest = new ListObjectsRequest(); S3ListObjectsRequest.BucketName = "BUCKET-NAME"; S3Client = AWSClientFactory.CreateAmazonS3Client(tempCredentials); ListObjectsResponse S3ListObjectsResponse = S3Client.ListObjects(S3ListObjectsRequest); foreach (S3Object s3Object in S3ListObjectsResponse.S3Objects) { Console.WriteLine(s3Object.Key); }

使用 MFA 身份验证调用 AssumeRole (Python)

下面的示例 (使用 AWS SDK for Python (Boto) 编写) 演示如何调用 AssumeRole 和传递 MFA 身份验证信息。然后使用 AssumeRole 返回的临时安全凭证列出账户中的所有 Amazon S3 存储桶。

有关此方案的更多信息,请参阅方案:跨账户委派的 MFA 保护

import boto from boto.s3.connection import S3Connection from boto.sts import STSConnection # Prompt for MFA time-based one-time password (TOTP) mfa_TOTP = raw_input("Enter the MFA code: ") # The calls to AWS STS AssumeRole must be signed with the access key ID and secret # access key of an IAM user. (The AssumeRole API operation can also be called using temporary # credentials, but this example does not show that scenario.) # The IAM user credentials can be in environment variables or in # a configuration file and will be discovered automatically # by the STSConnection() function. For more information, see the Python SDK # documentation: http://boto.readthedocs.org/en/latest/boto_config_tut.html sts_connection = STSConnection() # Use appropriate device ID (serial number for hardware device or ARN for virtual device) # Replace ACCOUNT-NUMBER-WITHOUT-HYPHENS, ROLE-NAME, and MFA-DEVICE-ID with appropriate values tempCredentials = sts_connection.assume_role( role_arn="arn:aws-cn:iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:role/ROLE-NAME", role_session_name="AssumeRoleSession1", mfa_serial_number="arn:aws-cn:iam::ACCOUNT-NUMBER-WITHOUT-HYPHENS:mfa/MFA-DEVICE-ID", mfa_token=mfa_TOTP ) # Use the temporary credentials to list the contents of an S3 bucket s3_connection = S3Connection( aws_access_key_id=tempCredentials.credentials.access_key, aws_secret_access_key=tempCredentials.credentials.secret_key, security_token=tempCredentials.credentials.session_token ) # Replace BUCKET-NAME with a real bucket name bucket = s3_connection.get_bucket(bucket_name="BUCKET-NAME") objectlist = bucket.list() for obj in objectlist: print obj.name