CODEWITHSUNDEEP
javaamazon-web-servicesaws-sdkaws-sts
Fatboyover
Fatboyover

Reputation: 33

Cross-Account IAM Access Using AWS SDK via assumed-role giving error

I am attempting to assume a role in another AWS account through an assumed role, authorising using the WebIdentityTokenFileCredentialsProvider via the AWS STS SDK. This is ran on a k8s instance, with credentials provided to access a specific role within an account.

e.g. Account 1 has credentials on the k8s pod for the account-1-role, and wants to assume the my-query-role role that exists in Account 2.

My current policy looks like this:

Account 1 account-1-role Permission Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Effect": "Allow",
            "Resource": [
                "arn:aws:iam::<account_2_id>:role/my-query-role"
            ]
        }
    ]
}

Account 2 my-query-role Trust Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<account_1_id>:root"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Java

AwsCredentialsProvider awsCredentialsProvider = WebIdentityTokenFileCredentialsProvider.create();

StsClient stsClient = StsClient.builder()
        .credentialsProvider(awsCredentialsProvider)
        .region(Region.EU_WEST_1)
        .build();

AssumeRoleRequest assumeRoleRequest = AssumeRoleRequest.builder()
        .roleArn("arn:aws:iam::<account_2_id>:role/my-query-role")
        .roleSessionName(MANAGED_PROMETHEUS_ROLE_SESSION)
        .build();

AssumeRoleResponse assumeRoleResponse = stsClient.assumeRole(assumeRoleRequest);

Problem

However, then when I attempt to assume through the role through the AWS StsClient, I get the following error:

software.amazon.awssdk.services.sts.model.StsException: User: arn:aws:sts::<account_1_id>:assumed-role/<account_1_role>/aws-sdk-java-1680536628314 
is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account_2_id>:role/my-query-role 
(Service: Sts, Status Code: 403, Request ID: 9aa79d21-344f-41b1-a251-8f81bb23af8c)

My question is, do I have to provide a separate policy for the StsClient to be able to use the permission? I thought from reading the documentation that the assumed-role would have the same policy as the parent role, so would be trusted by Account 2. However the ARN does seem to be in a different format

e.g. arn:aws:sts::<account_1_id>:assumed-role rather than arn:aws:sts::<account_1_id>:role

Upvotes: 1

Views: 1823

Answers (1)

Ankush Jain
Ankush Jain

Reputation: 7059

Trust Policy for my-query-role IAM Role in Account 2 is wrong in your case.

You should update the Principal field to have the ARN of account 1's IAM Role account-1-role.

Trust Policy - IAM Role - Account 2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "<THIS SHOULD BE THE ARN OF IAM ROLE IN ACCOUNT 1>"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Upvotes: 0

Related Questions