write to AWS S3 programatically -returns- Roles may not be assumed by root accounts.

Question

com.amazonaws.AmazonClientException: com.amazonaws.AmazonServiceException: Roles may not be assumed by root accounts. (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;

I created a role and it's Trust Relationship is :

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<awsID>:root",
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

I even tried creating a policy and assigned it to my role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::secorbackup"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:GetObject",
                "s3:DeleteObject"
            ],
            "Resource": [
                "arn:aws:s3:::secorbackup/*"
            ]
        }
    ]
}

Nothing seems to work. I'm getting the same error. I am using pinterest/secor for log persistence from kafka to s3. Any suggestions?

Answer 1

Roles may not be assumed by root accounts.

This error means exactly what it says.

You cannot assume a role while using a root account, under any circumstances. You have to use an IAM account.

There is no other workaround for this. The behavior is by design.