Switching role works from Console (AWS GUI), but not from Ansible Script

Question

Question: I need to switch role via script. Is sts:AssumeRole permission enough for that?

Elaboration: I log into my MFA enabled AWS account via console. This role that I log into by default, does not have any permission to execute anything. For spinning an EC2, I need to switch role. I go to 'Switch Role', and using an account and role, I switch into a different role that has permission to create EC2 instance. I want to achieve the same via Ansible scripts.

A snippet of my yml script looks like the below:

    tasks:
  - sts_assume_role:
      role_arn: "{{role_arn}}"
      role_session_name: "{{role_session_name}}"
      region: "{{app_region}}"
      aws_access_key: "{{ aws_access_key_id }}"
      aws_secret_key: "{{ aws_secret_access_key }}"
    register: assumed_role
  - debug:
      msg: "aws_access_key: {{ assumed_role.sts_creds.access_key }} ,
            aws_secret_key: {{ assumed_role.sts_creds.secret_key }},
            security_token: {{ assumed_role.sts_creds.session_token }}"

However, this results in the error similar to:

A client error (AccessDenied) occurred when calling the AssumeRole operation: User: arn:aws:iam:::user/ is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:::role/

This is the same error I get from aws cli as well.

While I understand that I do not have the sts:AssumeRole permission to accomplish this, I have raised this with the internal team in my company. However, for some unknown reason it is taking them way too long even with multiple follow-ups.

All I want to know is that getting this permission would be enough, or would I need more privileges? Of course, this is assuming that sts:AssumeRole is the right privilege for this. Also, do I need MFA anywhere in this when doing it via script? I use MFA manually only the first time I log into my default account from console.

Thanks in advance for the help and my apologies if some if this sounds way too basic, but I am just trying to get things up and running under a severe time crunch.

Answer 1

So I guess the problem was not with permissions, but because there was a problem with boto2 (https://github.com/ansible/ansible-modules-extras/issues/2532).

I had to add extra parameters for sts_assume_role:

 tasks:
  - sts_assume_role:
      role_arn: "{{role_arn}}"
      mfa_serial_number: "{{mfa_serial}}"
      mfa_token: "{{ lookup('env', 'MFA') }}"
      role_session_name: "{{role_session_name}}"
      region: "{{app_region}}"
      aws_access_key: "{{ aws_access_key_id }}"
      aws_secret_key: "{{ aws_secret_access_key }}"

@Sudo was right in the sense that the MFA policy was enforced, but the broken boto2 plugin was the primary cause of the pain, as even after putting in the MFA details, CLI still isn't working for me (haven't tried fixing it as my final goal was to switch role via ansible).

A python code that I got from aws docs was the proof that permissions wasn't the issue, but some plugin was broken, that led to this finding.(https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_mfa_sample-code.html)

Answer 2

Without the role's trust policy or the IAM user's permission policy, I can only guess, either the IAM user have a enforce MFA policy attached i.e. deny anything unless MFAed or the role you are trying to assume needs you to use MFA.

So, either you can use GetSessionToken by passing the MFA token to get temporary credentials and make AssumeRole API or pass the MFA token while you are calling the AssumeRole API.