3

I'm new to aws. I want to generate temporary credentials for aws call. And for that I use example from Making Requests Using IAM User Temporary Credentials - AWS SDK for Java

Where I pass 

String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";

And when trying assume role

stsClient.assumeRole(roleRequest);

get an error

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam:::user/ is not authorized to perform:

sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:

AccessDenied; Request ID:)

I have a cognito role. I think the problem in role Trust Relationship settings. It looks like this:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
        "Federated": "cognito-identity.amazonaws.com"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "cognito-identity.amazonaws.com:aud": "<user pool ID>"
        },
        "ForAnyValue:StringLike": {
          "cognito-identity.amazonaws.com:amr": "authenticated"
        }
      }
    }
  ]
}

and user policy (This user policy is attached to this Role also):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "<sidId1>",
            "Effect": "Allow",
            "Action": [
                "s3:PutObject",
                "s3:PutObjectAcl"
            ],
            "Resource": [
                "arn:aws:s3:::<path>*"
            ]
        },
        {
            "Sid": "sidId2",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:AssumeRoleWithWebIdentity"
            ],
            "Resource": [
                "arn:aws:iam::<ID>:role/<ROLE_NAME>"
            ]
        }
    ]
}

User policy has two warnings:

enter image description here What I'm doing wrong?

UPD I changed role Trust relationship, just delete Condition:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "cognito-identity.amazonaws.com",
        "AWS": "arn:aws:iam::<ID>:user/<USER>"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:AssumeRoleWithWebIdentity"
      ]
    }
  ]
}

and now Access denied error occurred on another line of code:

  // Verify that assuming the role worked and the permissions are set correctly
  // by getting a set of object keys from the bucket.
  ObjectListing objects = s3Client.listObjects(bucketName);

Received error response: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ), S3 Extended Request ID:

Nikolas
  • 2,322
  • 9
  • 33
  • 55
  • 1
    Looks like you are missing the action `s3:ListBucket` in your policy. This action is for the bucket resource. Also you should remove the account id in the policy you posted above in your latest update(for security reasons). – user818510 Jun 05 '18 at 16:48

1 Answers1

0

To be able to assume to an IAM Role, simply the IAM Role assume role policy or trust relation must explicitly allow the principal assuming role into it, which in this case it didn't. It permitted sts:AssumeRoleWithWebIdentity with some conditions which didn't apply to your case.

About the other error, as mentioned by the @user818510 your role doesn't have permission to s3:ListBucket action.

Farid Nouri Neshat
  • 29,438
  • 6
  • 74
  • 115