Reputation: 923
AWS AssumeRole - User is not authorized to perform: sts:AssumeRole on resource
I am attempting to call the AssumeRole function using AWS sts in my PHP program since I want to create temporary credentials to allow a user to create an object for an AWS bucket.
Below is the fumction I am calling PHP:
$sts = StsClient::factory(array(
'key' => 'XXXXXXXXXXXXXX',
'secret' => 'XXXXXXXXXXXXXXXX',
'token.ttd' => $timetodie
));
$bucket = "mybucket";
$result1 = $sts->assumeRole(array(
'RoleArn' => 'arn:aws:iam::123456789012:role/createPic',
'RoleSessionName' => 'mytest',
'Policy' => json_encode(array(
'Statement' => array(
array(
'Sid' => 'Deny attributes',
'Action' => array(
's3:deleteObject',
's3:deleteBucket'
),
'Effect' => 'Deny',
'Resource' => array(
"arn:aws:s3:::{$bucket}",
"arn:aws:s3:::{$bucket}/AWSLogs/*"
),
'Principal' => array(
'AWS' => "*"
)
)
)
)
),
'DurationSeconds' => 3600,
// 'ExternalId' => 'string',
));
$credentials = $result1->get('Credentials');
However, I keep getting the following error:
User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic
Below is my permissions policy for user TVMUser on my AWS console:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::791758789361:user/TVMUser"
},
{
"Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::791758789361:role/createPic"
}
]
}
Below is my role policy for the role createPic:
{
"Version":"2012-10-17",
"Statement":[
{
"Effect":"Allow",
"Action":"ec2:RunInstances",
"Resource":"*"
},
{
"Effect":"Allow",
"Action":"iam:PassRole",
"Resource":"arn:aws:iam::791758789361:user/TVMUser"
},
{
"Effect":"Allow",
"Action":"sts:AssumeRole",
"Resource":"arn:aws:iam::791758789361:role/createPic"
}
]
}
Does anyone now what I am missing in my AWS policy statements and setup on AWS so I don't get the following error?
User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic
Am I missing something?
Upvotes: 33
Views: 72053
Answers (3)
Reputation: 4230
You also need to edit the Trust relationship for the role to allow the account (even if it's the same) to assume the role.
- open the role that you want to assume in the console
- click on the "Trust Relationships" tab
- click on "Edit RelationShip"
- add a statement for the account that you want to add (usually you'll only have the ec2 service in the "Trusted Entities") e.g.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:role/some-role"
},
"Action": "sts:AssumeRole"
}
]
}
In this example I had to add the "AWS" principal with the proper account number, the ec2.amazonaws.com Service was already there.
After I've done that I was able to assume the role without issue. Took me literally hours to figure this out, hope that will help someone.
Upvotes: 102
Reputation: 305
I had the same error and spent hours trying to fix it with permissions and trust relationships... but that was not my problem.
I was following this tutorial and I deployed the cluster in US West (Oregon) as specified.
To make it work, I needed to activate STS for this region here.
Upvotes: 8
Reputation: 21
Maybe you should assign your sts region and endpoint:
$sts = StsClient::factory(array(
//...
'region' => 'us-west-2',
'endpoint' => 'https://sts.us-west-2.amazonaws.com',
));
Upvotes: 2
Related Questions
- AWS group user not allowed to assume role - access denied
- AWS StsClient: User not authorized to perform: sts:AssumeRole on resource
- AWS cli: not authorized to perform: sts:AssumeRole on resource
- AWS sts assume role - user is trusted by target role, user has sts permissions to assume target role. "User not allowed to perform assume role"
- AWS AccessDenied when calling sts:AssumeRole
- Not authorized to perform: sts:AssumeRole on resource
- AWS: STS Assume Role not working for user
- Trust Relationship Error AssumeRole policy may only specify STS AssumeRole actions
- STS AssumeRole error: AWS Access Key "does not exist in our records"
- AWS STS Roles with EC2 AssumeRole