How enable access to AWS STS AssumeRole

2020-05-24 21:18发布

问题:

I am getting an error when calling to assume role method of STS. It says that the user is not authorized to perform sts:AsumeRole on resource xxx.

I did the following:

  1. I created a role to access to S3 bucket.
  2. I ran a test over policy simulator and works fine
  3. I created a new group, and in it, i created a new policy that enables all sts actions, over all resources.
  4. I ran a test with the policy simulator, to sts assume role, pointing to the ARN of role created at step one; and it works fine
  5. I created a new user, and put it in group created at step 3
  6. With the credentials of the new user, i try to get a new credentials using sts asume role, but throw me an error that say my user is not authorized to perform sts:AssumeRole

What am I doing wrong?

Policy in Group

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "some-large-id",
            "Effect": "Allow",
            "Action": [
                "sts:*"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

Policy in role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "another-large-id",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject"
            ],
            "Resource": [
                "arn:aws:s3:::my-bucket-name/*"
            ]
        }
    ]
}

And finally calling like this

let policy = {
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "new-custom-id",
            "Effect": "Allow",
            "Action": ["s3:PutObject"],
            "Resource": ["arn:aws:s3:::my-bucket-name/*"]
        }
    ]
};

let params = {
    DurationSeconds: 3600, 
    ExternalId: 'some-value', 
    Policy: JSON.stringify(policy), 
    RoleArn: "arn:aws:iam::NUMBER:role/ROLE-NAME", //Cheked, role is the same that step one
    RoleSessionName: this.makeNewSessionId()
};
let sts = new AWS.STS({ apiVersion: '2012-08-10' });

sts.assumeRole(params, (err, data) => {
    if(err) console.log(err);
    else console.log(data);
});

回答1:

There is a step that was missing: set trust relationship on role created in step one. No matter what privileges the user had, if the trust relationship is not set, STS will refuse the request.

Troubleshooting IAM Roles explain how it works.