Reputation: 1
How to fix getFederationToken returns 403 not authorized error after upgrading from SDK version 1 to 3
We have existing code that uses AWS PHP SDK version 1 AmazonSTS()->get_federation_token(). After upgrading to SDK version 3, the same call using the same credentials, resource and policy returns a 403 not authorized error.
Version and region appear to be the same. The policy json is the same. The user credentials used to make the call are the same (and if I switch back to the SDK v1 they still work). I have the debug option set but it doesn't appear to provide any additional information as to why the same user it not authorized to perform the same function getFederationToken on the same federated user.
Old code that works:
$client = new AmazonSTS();
$policy = new stdClass();
$policy->Statement = [
'Sid' => 'randomstatementid' . time(),
'Action' => ['s3:*'],
'Effect' => 'Allow',
'Resource' => 'aws:s3:::' . $AWS_BUCKET . '*'
];
// Fetch the session credentials.
$response = $client->get_federation_token('User1',array(
'Policy' => json_encode($policy),
'DurationSeconds' => $NUMSECS
));
New code that returns 403 error:
$client = new Aws\Sts\StsClient([
'region' => 'us-east-1',
'version' => '2011-06-15',
]);
$policy = new stdClass();
$policy->Statement = [
'Sid' => 'randomstatementid' . time(),
'Action' => ['s3:*'],
'Effect' => 'Allow',
'Resource' => 'aws:s3:::' . $AWS_BUCKET . '*'
];
try {
$response = $client->getFederationToken([
'Name' => 'User1',
'Policy' => json_encode($policy),
'DurationSeconds' => $NUMSECS,
]);
} catch (Exception $e) {
var_dump($e);
die();
}
The first example returns temporary credentials for the federated user User1. The second example returns 403 forbidden error (I'm hiding the actual account id):
<Error>
<Type>Sender</Type>
<Code>AccessDenied</Code>
<Message>User: arn:aws:iam::[account id]:user/portal is not authorized to perform: sts:GetFederationToken on resource: arn:aws:sts::[account id]:federated-user/User1</Message>
</Error>
Upvotes: 0
Views: 1033
Answers (1)
Reputation: 1
Turns out I was looking at the wrong credentials. I found the correct credentials hard-coded in the script :(
Upvotes: 0
Related Questions
- The provided token is malformed or otherwise invalid
- AWS SQS error : SignatureDoesNotMatch HTTP error: 403
- AWS SDK PHP - Cannot read credentials from /.aws/credentials
- Credentials must be an instance of Aws\\Credentials\\CredentialsInterface error on PHP SDK with SQS
- AWS PHP SDK Credentials error S
- Can't pass my credentials to AWS PHP SDK
- AWS credentials cannot be read
- PHP SDK Cannot get AWS Credentials on EC2 Instance with IAM Role attached
- getting permission denied in amazon aws
- GetSessionToken command not found in AWS SDK