Reputation: 1
How to get a credential-provider that runs from another AWS IAM User
The AWS account I work in has 2 main IAM users:
- User A has most of the important execution permissions (Lambda, SecretsManager, API GateWay...)
- User B has only 1 permission: AssumeRole to
targetRole, a IAM Role in a 3rd party AWS account (on which I have no control / influence).targetRoleis then used to perform SQS operations in the 3rd party AWS account
I want to be able, from a Lambda being executed by User A, to trigger an AssumeRole command as User B. In AWS SDK v2, my code looked like this: (simplified)
const userBCredentials = secretsProvider.getSecretValue({ userBArn }); // get credentials of User B
const userB_StsClient = new STS({ userBCredentials }); // get an STS Client authenticated as User B
const assumedRoleCredentials = await userB_StsClient.assumeRole({ RoleArn: targetRoleArn }); // get targetRole
const authenticatedSqsClient = new SQS({ assumedRoleCredentials }) // get SQS client authenticated as targetRole in 3rd party AWS account using assumed role credentials
// do SQS operations in 3rd party AWS Account using targetRole
We upgraded recently to SDK v3 (about time I know), much of the authentication mechanisms have changed and this code doesn't work anymore.
The new SQS client authentication method requires the use of credential-providers. I tried the following:
import * as aws_cp from "@aws-sdk/credential-providers";
import * as aws_sqs from "@aws-sdk/client-sqs";
const userBCredentials = secretsProvider.getSecretValue({ userBArn }); // get credentials of User B
const assumeRoleCP = aws_cp.fromTemporaryCredentials({
params: { RoleArn: targetRoleArn },
clientConfig: {
credentials: { userBCredentials }
}
});
const sqsClient = new aws_sqs.SQS({ credentials: assumeRoleCP });
According to AWS Documentation for aws_cp.fromTemporaryCredentials, the clientConfig parameter is supposed to configure the STS client that then uses the assumeRole API. When I then try to use the sqsClient, I get the following error:
User: userAArn is not authorized to perform: sts:SetSourceIdentity on resource: targetRoleArn
which lets me know that the credential provider tries to execute assumeRole still using the UserA role. I was hoping that the clientConfig parameter would create "under the hood" a STS client authenticated as User B, which would then be allowed to execute assumeRole.
Upvotes: 0
Views: 121
Answers (0)
Related Questions
- How to assume an AWS role from another AWS role?
- From AWS SDK, how to I get the current logged in username (or IAM user)?
- Can't export fromIni from @aws-sdk/credential-providers
- Any way to get CLI credentials when using AWS SSO with a 3rd party SSO account?
- How to generate AWS credential report for all accounts in an organization
- How to get AWS STS using Federated User?
- Can I get credentials by AWS IAM Role published by another aws account?
- AWS 403 Unauthorised Error while trying to create temporary credentials using IAM user