Menu
I am attempting to call the AssumeRole function using AWS sts in my PHP program since I want to create temporary credentials to allow a user to create an object for an AWS bucket.
Below is the fumction I am calling PHP:
$sts = StsClient::factory(array( 'key' => 'XXXXXXXXXXXXXX', 'secret' => 'XXXXXXXXXXXXXXXX', 'token.ttd' => $timetodie )); $bucket = "mybucket"; $result1 = $sts->assumeRole(array( 'RoleArn' => 'arn:aws:iam::123456789012:role/createPic', 'RoleSessionName' => 'mytest', 'Policy' => json_encode(array( 'Statement' => array( array( 'Sid' => 'Deny attributes', 'Action' => array( 's3:deleteObject', 's3:deleteBucket' ), 'Effect' => 'Deny', 'Resource' => array( "arn:aws:s3:::{$bucket}", "arn:aws:s3:::{$bucket}/AWSLogs/*" ), 'Principal' => array( 'AWS' => "*" ) ) ) ) ), 'DurationSeconds' => 3600, // 'ExternalId' => 'string', )); $credentials = $result1->get('Credentials'); However, I keep getting the following error:
User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic Below is my permissions policy for user TVMUser on my AWS console:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ec2:RunInstances", "Resource":"*" }, { "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::791758789361:user/TVMUser" }, { "Effect":"Allow", "Action":"sts:AssumeRole", "Resource":"arn:aws:iam::791758789361:role/createPic" } ] } Below is my role policy for the role createPic:
{ "Version":"2012-10-17", "Statement":[ { "Effect":"Allow", "Action":"ec2:RunInstances", "Resource":"*" }, { "Effect":"Allow", "Action":"iam:PassRole", "Resource":"arn:aws:iam::791758789361:user/TVMUser" }, { "Effect":"Allow", "Action":"sts:AssumeRole", "Resource":"arn:aws:iam::791758789361:role/createPic" } ] } Does anyone now what I am missing in my AWS policy statements and setup on AWS so I don't get the following error?
User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic Am I missing something?
343
You cannot use AWS account root user credentials to call AssumeRole. You must use credentials for an IAM user or an IAM role to call AssumeRole. For cross-account access, imagine that you own multiple accounts and need to access resources in each account.
Type: AssumedRoleUser object The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token. The size of the security token that AWS STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
When you assume a role using AWS STS API or AWS CLI, make sure to use the exact name of your role in the ARN. Role names are case sensitive when you assume a role.
To assume the IAM role in another AWS account, first edit the permissions in one account (the account that assumed the IAM role). Then, edit the trust policy in the other account (the account that allows the assumption of the IAM role). For example, suppose you have two accounts, one named Account_Bob and the other named Account _Alice.
You also need to edit the Trust relationship for the role to allow the account (even if it's the same) to assume the role.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "", "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" }, { "Sid": "", "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/some-role" }, "Action": "sts:AssumeRole" } ] } In this example I had to add the "AWS" principal with the proper account number, the ec2.amazonaws.com Service was already there.
After I've done that I was able to assume the role without issue. Took me literally hours to figure this out, hope that will help someone.
137
I had the same error and spent hours trying to fix it with permissions and trust relationships... but that was not my problem.
I was following this tutorial and I deployed the cluster in US West (Oregon) as specified.
To make it work, I needed to activate STS for this region here.
44
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
