Reputation: 3723
Getting error in lambda function trying to assume role
I have a stack with one IAM role that is to be assumed inside the lambda runtime, and a Lambda function for which I've added permission to execute sts:AssumeRole (using AWS SDK). The problem is that Im getting an AccessDenied error when I execute the Lambda function.
This is the Lambda infrastructure:
const roleAssumedInLambdaRunTime = new Role(this, "GrantS3AccessRole", {
assumedBy: new ServicePrincipal("lambda.amazonaws.com"),
inlinePolicies: {
S3FullAccess: new PolicyDocument({
statements: [
new PolicyStatement({
effect: Effect.ALLOW,
actions: ["s3:*"],
resources: ["*"],
}),
],
}),
},
});
const lambdaFn = new NodejsFunction(this, "TestSTSLambda11", {
memorySize: 1024,
timeout: cdk.Duration.seconds(30),
runtime: Runtime.NODEJS_20_X,
handler: "handler",
entry: path.join(__dirname, `../../handlers/lambda-assume-sts-role.ts`),
environment: {
ASSUME_ROLE_ARN: roleAssumedInLambdaRunTime.roleArn,
},
});
lambdaFn.addToRolePolicy(
new PolicyStatement({
sid: "AllowSTSAssumeRole",
effect: Effect.ALLOW,
actions: ["sts:AssumeRole"],
resources: ["*"],
})
);
lambdaFn.node.addDependency(roleAssumedInLambdaRunTime);
The Lambda function:
import { AssumeRoleCommand, STSClient } from "@aws-sdk/client-sts";
export async function handler() {
const stsClient = new STSClient({ region: "eu-central-1" });
const assumeRoleArn = process.env.ASSUME_ROLE_ARN;
console.log(`👉 assumeRoleArn = `, assumeRoleArn);
const result = await stsClient.send(
new AssumeRoleCommand({
RoleArn: assumeRoleArn,
RoleSessionName: "mySession",
DurationSeconds: 3600, // 1 hour
})
);
console.log(`result = `, result);
return {
status: "OKAY",
};
}
When I test the lambda execution I get the following error:
"errorType": "AccessDenied", "errorMessage": "User: arn:aws:sts::111111111111:assumed-role/TestLambdaWithSts-TestSTSLambda11ServiceRole3AAAA89-x420WaTiw1LF/TestLambdaWithSts-TestSTSLambda11D1433AEF-gRhoA42zLw1k is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::111111111111:role/TestLambdaWithSts-GrantS3AccessRole1D33947E-OFL9jGuPP02I",
Upvotes: 1
Views: 92
Answers (1)
Reputation: 9432
Take a look at the trust relationship defined for the TestLambdaWithSts-TestSTSLambdaServiceRoleASDASD role. A role itself must define who is allowed to assume it. It needs a trust relationship policy that grants access for TestLambdaxyz to assume it since it appears from the error message that your lambda is configured to run using the TestLambdaxyz.
This article goes into details on how to set up the permissions required to allow this sort of role chaining. Also see How to assume an AWS role from another AWS role?
Upvotes: 3
Related Questions
- Can an AWS Lambda function call another
- AWS CDK - Cannot assume role in Lambda for fine grained authorization
- Lambda function is not authorized to perform sts:AssumeRole
- AWS StsClient: User not authorized to perform: sts:AssumeRole on resource
- Trying to create access key using CreateAccessKey from Lambda function
- AWS SSO authorization for EKS fails to call sts:AssumeRole
- What is the ARN of an assumed role assumed by a Lambda function?
- AWS Lambda : Even after STS:AssumeRole was successful, the lambda function still uses the old IAM role
- Not able to assume role via lambda function - Python