questions
Reputation: 3
AWS assume role access denied while using SDK
I am using go sdk to create a new role and assume it. Both are done with same IAM user. The role trust relationship is as follows:
{
"Statement": [{
"Effect": "Allow",
"Principal": { "AWS": "<an admin user>" },
"Action": [ "sts:AssumeRole" ]
}]
}
Later when trying to add object to a bucket, I can create a session token, but the PutObject operations fails with AccessDenied. The bucket policy is:
{
"Effect": "Allow",
"Action":"s3:*",
"Resource": [
"arn:aws:s3:::<name of the bucket>/*"
],
"Condition": {}
}
Upvotes: 0
Views: 1411
Answers (1)
b.short
Reputation: 131
If the role you are assuming does not grant access to the S3 bucket via the role policies, you'll need to add the role as a principal to the bucket policy.
There's a handy tool here; https://awspolicygen.s3.amazonaws.com/policygen.html that helps with generating bucket policies. But it should end up looking like:
{
"Effect": "Allow",
"Action":"s3:*",
"Principal": {
"AWS": ["arn:aws:iam::<accountid>:role/<name of assumed role>"]
},
"Resource": [
"arn:aws:s3:::<name of the bucket>/*"
],
"Condition": {}
}
Upvotes: 1
Related Questions
- An error occurred (AccessDenied) when calling the AssumeRole operation
- AWS Assume Role via .Net SDK gives Access Denied but works with CLI
- AWS Assume Role: "Invalid information in one or more fields."
- Getting "Invalid json" error when creating iam-role using aws cli
- Cannot assume role on EC2 instance
- IAM role fails to give permission to an EC2 instance
- Assume-role "Access denied" for non-priveleged users of EC2-instance
- Assume AWS Role From User in Same Account
- IAM Roles Assume Role Permission
- AWS Assume role with EC2 instance IAM role not working