CODEWITHSUNDEEP
pythonamazon-web-servicesamazon-s3boto3
anaz8
anaz8

Reputation: 125

python boto3 error: Not authorized to perform assumed role on resource

I am trying to move files from a S3 bucket in one account(source account) to S3 bucket in another account(destination account) I am using sagemaker notebook so I have a sagemaker role. I also have a role in my team account which has full s3 access and fullsagemaker access and in the trust relationship i have given the destination account role arn and sagemaker role arn. The destination account also has my team role arn and sagemaker role arn in its trust policy.

I am trying to assume my team role and then I will assume the destination role to copy files.

    import boto3
    sts_client = boto3.client('sts')
assumed_teamrole_object = sts_client.assume_role(DurationSeconds=1800,
                                                 RoleArn='myteamrole',
                                                 RoleSessionName='test1')
    assumed_destrole_object = sts_client.assume_role(DurationSeconds=1800,
                                                 ExternalId='externalid provided by destination account',
                                                 RoleArn='destination account role',
                                                 RoleSessionName='test2')

The first three lines execute fine. when I try to assume the destination role i am getting the error

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::role/AmazonSageMaker-ExecutionRole-/SageMaker is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::destinationrole

Is there something I am missing, what am i doing wrong. Please help. I dont have any user , it is just roles

Thanks!

Upvotes: 1

Views: 2377

Answers (1)

Marcin
Marcin

Reputation: 238967

The error message indicates that you are missing sts:AssumeRole permissions. Your comments indicate that this is the case, as you have only S3 permission for now.

To rectify this, you can add inline policy to AmazonSageMaker-ExecutionRole role, in the form of:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

You can further limit the Resource to only arn:aws:iam::destinationrole. But for tests you can try with * as Resource.

Upvotes: 1

Related Questions