CODEWITHSUNDEEP
amazon-web-servicesamazon-s3amazon-iamaws-cli
jrz
jrz

Reputation: 1387

aws cli assume-role works but still get permission denied on s3

I am trying to access an s3 bucket in account A from account B.

I followed this guide Cross-account IAM roles option. Then, to assume the role I use this aws cli command in my code:

aws sts assume-role --role-arn "arn:aws:iam::*********:role/cross-account-s3-access" --role-session-name AWSCLI-Session

I can see that the role was assumed:

{
    "Credentials": {
        "AccessKeyId": "********",
        "SecretAccessKey": "********",
        "SessionToken": "********",
        "Expiration": "2021-07-29T08:46:33Z"
    },
"AssumedRoleUser": {
    "AssumedRoleId": "********:AWSCLI-Session",
    "Arn": "arn:aws:sts::********:assumed-role/cross-account-s3-access/AWSCLI-Session"
    }
}

Then, to check if the cross-account access worked, I perform the following command which return access denied:

+ aws s3 ls s3://digibank-endofday-files-stg
An error occurred (AccessDenied) when calling the ListObjectsV2 operation: Access Denied

My question is what is the --role-session-name flag? I probably put a wrong value but I couldn't find a proper explanation about it. Where do I find value of it??

Upvotes: 3

Views: 5440

Answers (1)

John Rotenstein
John Rotenstein

Reputation: 269101

The flow is:

  • Using permanent credentials (eg from your IAM User), call AssumeRole() and provide the ARN of the desired role
  • If you have permission to call AssumeRole on this role, AWS STS will return a set of temporary credentials
  • You will then need to use those credentials in subsequent calls to AWS services

So, future calls will not be made from your IAM User (since it does not have permission to access S3). Instead, the call will need to be made with the new credentials.

If you were using a programming language, you would use these credentials to make a new Session object and then use it to make API calls.

However, given that you are using the AWS CLI, the easiest method to assume the call is to add a configuration in your ~/.aws/config file similar to this:

[profile prodaccess]
role_arn = arn:aws:iam::123456789012:role/ProductionAccessRole
source_profile = default

This configuration is saying: "Use my credentials from the default profile to assume this IAM Role".

You can use it like this:

aws s3 ls s3://digibank-endofday-files-stg --profile prodaccess

For details, see: Switching to an IAM role (AWS CLI) - AWS Identity and Access Management

The AWS CLI will automatically call AssumeRole(), then make the requested call using the temporary credentials that were returned.

Upvotes: 4

Related Questions