CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-iam
logan
logan

Reputation: 8346

Grant aws iam role permissions to an iam user in same account

I have an AWS role with s3 Read only permissions. I have already configured aws cli for an AWS user. So I want to use the same user to browse s3 files in aws cli. what I did is, Added trust relationship for root user to the role arn:aws:iam::<1234...>:role/test-role so that i can get this to all my iam users

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<1234..>:root",
        "Service": "s3.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

then, I added a policy to user to assume above role.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt12345",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole"
            ],
            "Resource": "arn:aws:iam::<1234...>:role/test-role"
        }
    ]
}

When i try to list , I get permission denied error.

aws s3 ls

An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied

I made sure that role has full s3 read permission as follows.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:List*"
            ],
            "Resource": "*"
        }
    ]
}

Can someone please guide where the problem is ?

Upvotes: 3

Views: 1340

Answers (1)

to StackOverflow
to StackOverflow

Reputation: 124686

If you're using the CLI you need a profile with the correct credentials.

You should have your credentials in an .aws/credentials file, e.g.:

[myprofile]
aws_access_key_id =  ... access key ...
aws_secret_access_key = ... secret access key …

Then you can add a profile for the assumed role to the .aws/config file, e.g.:

[profile test-role]
source_profile=myprofile
role_arn = arn:aws:iam::<1234...>:role/test-role

Finally you set AWS_PROFILE to test-role before running the CLI command

SET AWS_PROFILE=test-role
aws s3 ls

I would have just posted a link to the AWS documentation but this site disapproves of link-only answers.

Upvotes: 1

Related Questions