Why are my lambda/alexa-hosted skill permissions being denied?

Question

My goal is to integrate an Alexa-hosted skill with AWS IoT. I'm getting an access denied exception runinng the following python code from this thread:

iota = boto3.client('iotanalytics')  
response = iota.get_dataset_content(datasetName='my_dataset_name',versionId='$LATEST',roleArn = "arn:aws:iam::123456789876:role/iotTest")
contentState = response['status']['state']
        
if (contentState == 'SUCCEEDED') :
    url = response['entries'][0]['dataURI']
    stream = urllib.request.urlopen(url)
    reader = csv.DictReader(codecs.iterdecode(stream, 'utf-8'))        

What's weird is that the get_dataset_content() method described here has no mention of needing permissions or credentials. Despite this, I have also gone through the steps to use personal AWS resources with my alexa-hosted skill with no luck. As far as I can tell there is no place for me to specify the ARN of the role with the correct permissions. What am I missing?

Oh, and here's the error message the code above throws:

botocore.exceptions.ClientError: An error occurred (AccessDeniedException) when calling the GetDatasetContent operation: User: arn:aws:sts::123456789876:assumed-role/AlexaHostedSkillLambdaRole/a224ab4e-8192-4469-b56c-87ac9a34a3e8 is not authorized to perform: iotanalytics:GetDatasetContent on resource: arn:aws:iotanalytics:us-east-1:123456789876:dataset/my_project_name

I have created a role called demo, which has complete admin access. I have also given it the following trust relationship:

  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "iotanalytics.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789876:role/AlexaHostedSkillLambdaRole"
      },
      "Action": "sts:AssumeRole"
    }
  ]
} 

--- The trust relationships tab displays this as well: ---
Trusted entities
The identity provider(s) iotanalytics.amazonaws.com
arn:aws:iam::858273942573:role/AlexaHostedSkillLambdaRole

Answer 1

I ran into this today and after an hour of pondering what is going on, i figured out my problem, and i think it may be the same as what you were running into.

As it turns out, most of the guides out there don't mention the fact that you have to do some work to have the assumed role be the actual role that is used when you build up the boto3 resource or client.

This is a good reference for that - AWS: Boto3: AssumeRole example which includes role usage

Basically, from my understanding, if you do not do that, the boto3 commands will still execute under the same base role that the Alexa Lambda uses - you must first create the assumed role, and then use it.

Additionally, your role you're assuming must have the privileges that it needs to do what you are trying to do - but that's the easy part.

Answer 2

As I look at your code, I see: roleArn = "arn:aws:iam::123456789876:role/iotTest"

Replace it with the correct ARN of a role that has allow iotanalytics:GetDatasetContent

In addition, I assume you didn't paste all of your code, since you are trying to access the arn:aws:iotanalytics:us-east-1:123456789876:dataset/my_project_name I have doubts that your account id is 123456789876, it looks like you miss some more ARNs in your code.