Reputation: 133
aws sts AssumeRoleWithWebIdentityInput
I'm having problems using the AWS STS service to give temporary user access to the console. I can use the IDP and AssumeRoleWithWebIdentityInput method to retrieve credentials fine and have tested the credentials as working using the aws-cli tools, but providing a redirect into the console simply, despite numerous attempts/permutations doesn't work. I simple get the message: "Some of your credentials are missing. Please contact your administrator." Note: the attached policy to the role whom has the trust with custom IDP is AmazonEC2ReadOnlyAccess. Note: I also tried the GetFederatedToken(), which ends the same way; the credentials work for the API, but try the sign-in and redirect I can't access the console. Has anyone come across this? ... this there something i'm missing in the policy to permit console access?
I also tried added the policy document to the request, again, nothing more an then copy and paste of the AmazonEC2ReadOnlyAccess policy, but no dice
// assume the identity - works fine - i recieve my credentials
// and i can use the access_id, secret and session token placed
// a /.aws/credentials fine
input := &sts.AssumeRoleWithWebIdentityInput{
RoleArn: aws.String("arn:aws:iam::ACCOUNT_ID:role/USER-web-identity"),
RoleSessionName: aws.String(context.email),
WebIdentityToken: aws.String(context.token.Encode()),
DurationSeconds: aws.Int64(900),
}
.. skipping code
// a then try and give the user access to the console as
// described in http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
params := &url.Values{}
params.Add("Action", "getSigninToken")
params.Add("SessionType", "json")
params.Add("Session", string(encoded))
// I receive the signintoken response fine and encode into a
// redirect url to the console
query := &url.Values{}
query.Add("Action", "login")
query.Add("Issuer", "https://127.0.0.1:3000/sso/session")
query.Add("Destination", "https://console.aws.amazon.com")
query.Add("SigninToken", token)
cx.Redirect(http.StatusTemporaryRedirect, fmt.Sprintf("%s?%s", signInURL, query.Encode()))
// get nothing but "Some of you credentials are missing"
Upvotes: 3
Views: 348
Answers (0)
Related Questions
- AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
- AWS StsClient: User not authorized to perform: sts:AssumeRole on resource
- AWS cli: not authorized to perform: sts:AssumeRole on resource
- AWS AssumeRole - User is not authorized to perform: sts:AssumeRole on resource
- How do I use AWS STS Assume role with MFA using AWS SDK Go v2?
- AWS STS Assume Role - InvalidClientTokenId: The security token included in the request is invalid
- AWS STS Assume Role: Get session token
- Not authorized to perform: sts:AssumeRole on resource
- Failed to assume role for third-party AWS account using IAM user's access key
- STS AssumeRole error: AWS Access Key "does not exist in our records"