Reputation: 37
access denied error when retrieving temporary credentials from aws with boto3
I'm trying to get a set of temporary credentials from AWS using boto3 following this example.
import boto3
from botocore.errorfactory import ClientError
# create an STS client object that represents a live connection to the
# STS service
sts_client = boto3.client('sts')
# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name
assumed_role_object = sts_client.assume_role(
RoleArn="aws:iam::123456789:role/Upload_Data_To_S3",
RoleSessionName="iam-s3-upload"
)
# From the response that contains the assumed role, get the temporary
# credentials that can be used to make subsequent API calls
credentials = assumed_role_object['Credentials']
# Use the temporary credentials that AssumeRole returns to make a
# connection to Amazon S3
s3_resource = boto3.resource(
's3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
)
I get AccessDenied error with the following context:
Exception has occurred: ClientError
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123456789:user/Yury is not authorized to perform: sts:AssumeRole on resource: aws:iam::123456789:role/Upload_Data_To_S3
File "/home/ystanev/git-projects/ap_renewables/HighSpeed/s3-data-upload/s3_upload.py", line 18, in <module>
RoleSessionName="iam-s3-upload"
My account number and the account number on the role match, thus I'm not sure why I can't assume a role under my own account. I've checked the IAM permissions under the AWS console, my account is attached to IAMFullAccess group.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribePolicy",
"organizations:ListChildren",
"organizations:ListParents",
"organizations:ListPoliciesForTarget",
"organizations:ListRoots",
"organizations:ListPolicies",
"organizations:ListTargetsForPolicy"
],
"Resource": "*"
}
]
}
I've checked the knowledge centre, but I'm not sure if this applies to my case as IAM role is under my account.
How can I check is I have the permission to assume the role, and if I don't set it to allowed.
Thanks, appreciate the help.
Upvotes: 0
Views: 1779
Answers (1)
Reputation: 4336
Your user needs the permission sts:AssumeRole. I don't see that in your policy. And then as a comment indicates, you need to make sure the Trust Relationship of the role you're assuming allows the account number of your user to assume it. The Trust Policy would end up looking something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account number of the role>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Best Practice would be to only allow your user's specific principal ARN to assume the role in the Trust Relationship, and then in the policy attached to your user you would explicitly list what roles can be assumed via sts:AssumeRole as opposed to allowing * access.
Upvotes: 1
Related Questions
- Access Denied using boto3 through aws Lambda
- Boto3 returns An error occurred (AccessDenied) when calling the PutObject operation: Access Denied
- AWS boto3 InvalidAccessKeyId when using IAM role
- How to access IAM resources using temporary credentials
- Access denied when assuming role as IAM user via boto3
- Using boto3 with temporary credentials
- Error on getting aws account root user details using boto3
- How to give ec2 instance access to s3 using boto3
- Boto failing to authenticate with S3 IAM role
- Boto 403 AccessDenied Exception with IAM user credentials, Works in Cyberduck and AWS web console