AWS Lambda : Even after STS:AssumeRole was successful, the lambda function still uses the old IAM role

Question

I have created a new IAM role, which has access (scan/Query) to specific DynamoDb tables.

I am trying to use STS Assume Role API call from my lambda function, so that the lambda function gets access to the specific Dynamo Db tables.

The Assume Role call was successful, I got the role ID, AccesskeyId, Secret Access Key and Session Token.

When I make a call from my lambda function, to access the Dynamo DB, I am getting an error

AccessDeniedException: User: arn:aws:sts::>:assumed-role/ota-dev-us-east-1-lambdaRole/ is not authorized to perform: dynamodb:Scan on resource: arn:aws:dynamodb:us-east-1:>:table/<>

My question is, even after the Role Assume call was successful in the Lambda function, why the lambda function was still using the older role to access the Dynamo DB?

I was expecting the Lambda function to assume the new role, but from the logs it looks like, it is using still the older role.

Looks like I am missing some steps in between.

Answer 1

The STS AssumeRole call, depending how you trigger it, does not automatically refresh credentials in the AWS.config global object of the SDK.

You need to retrieve the access key, session key and session token returned by AssumeRole and pass it to your global AWS credentials SDK object.

The exact code will depend on the programming language you are using, here is the doc for Python's Boto3

https://boto3.amazonaws.com/v1/documentation/api/latest/guide/configuration.html

On a side note, I wonder why you do not give permanent access to your DynamoDB table in the Lambda execution role. Is this to limit the function reach and give fine grained access control at runtime, based on caller's identity ?