Reputation: 37
I'm trying to get a set of temporary credentials from AWS using boto3
following this example.
import boto3
from botocore.errorfactory import ClientError
# create an STS client object that represents a live connection to the
# STS service
sts_client = boto3.client('sts')
# Call the assume_role method of the STSConnection object and pass the role
# ARN and a role session name
assumed_role_object = sts_client.assume_role(
RoleArn="aws:iam::123456789:role/Upload_Data_To_S3",
RoleSessionName="iam-s3-upload"
)
# From the response that contains the assumed role, get the temporary
# credentials that can be used to make subsequent API calls
credentials = assumed_role_object['Credentials']
# Use the temporary credentials that AssumeRole returns to make a
# connection to Amazon S3
s3_resource = boto3.resource(
's3',
aws_access_key_id=credentials['AccessKeyId'],
aws_secret_access_key=credentials['SecretAccessKey'],
aws_session_token=credentials['SessionToken'],
)
I get AccessDenied
error with the following context:
Exception has occurred: ClientError
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123456789:user/Yury is not authorized to perform: sts:AssumeRole on resource: aws:iam::123456789:role/Upload_Data_To_S3
File "/home/ystanev/git-projects/ap_renewables/HighSpeed/s3-data-upload/s3_upload.py", line 18, in <module>
RoleSessionName="iam-s3-upload"
My account number and the account number on the role match, thus I'm not sure why I can't assume a role under my own account. I've checked the IAM permissions under the AWS console, my account is attached to IAMFullAccess group.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:*",
"organizations:DescribeAccount",
"organizations:DescribeOrganization",
"organizations:DescribeOrganizationalUnit",
"organizations:DescribePolicy",
"organizations:ListChildren",
"organizations:ListParents",
"organizations:ListPoliciesForTarget",
"organizations:ListRoots",
"organizations:ListPolicies",
"organizations:ListTargetsForPolicy"
],
"Resource": "*"
}
]
}
I've checked the knowledge centre, but I'm not sure if this applies to my case as IAM role is under my account.
How can I check is I have the permission to assume the role, and if I don't set it to allowed.
Thanks, appreciate the help.
Upvotes: 0
Views: 1779
Reputation: 4336
Your user needs the permission sts:AssumeRole
. I don't see that in your policy. And then as a comment indicates, you need to make sure the Trust Relationship of the role you're assuming allows the account number of your user to assume it. The Trust Policy would end up looking something like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account number of the role>:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
Best Practice would be to only allow your user's specific principal ARN to assume the role in the Trust Relationship, and then in the policy attached to your user you would explicitly list what roles can be assumed via sts:AssumeRole
as opposed to allowing *
access.
Upvotes: 1