0

I'm trying to create s3 client with java with STS

 BasicSessionCredentials credentials = getCredentialsOfCurrentRole();
 AWSSecurityTokenService sts = new 
 AWSSecurityTokenServiceClient(credentials).withRegion(REGION);
 AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest().withRoleArn(roleArn)
                .withDurationSeconds(getDurationToAssumeRole())
                .withRoleSessionName(sessionName);
        
 AssumeRoleResult assumeRoleResult = sts.assumeRole(assumeRoleRequest);
        // Get temporary credentials of assumed role
        assumedRoleCredentials = assumeRoleResult.getCredentials();

But getting the following exception while doing a request for a temporary credential of IAM Role

Failed to get credentials using STS. Reason: 
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: 
arn:aws:sts::434234520724:assumed-role/myapplication.role.name/kiam-kiam is not authorized to 
perform: sts:AssumeRole on resource: arn:aws:iam::412341320567:role/webapplication.app.com
paresh
  • 351
  • 1
  • 3
  • 12

2 Answers2

0

The error message is rather self-explanatory. The IAM role myapplication.role.name/kiam-kiam that your code runs under has no permissions to assume webapplication.app.com role.

To try to rectify the issue, you can attach an inline policy to the myapplication.role.name role. The policy could be:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AllowAssumeRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::412341320567:role/webapplication.app.com"
        }
    ]
}
Marcin
  • 215,873
  • 14
  • 235
  • 294
0

Looks like you are using Java V1. I will show V2 code to answer this question. In the role that you want to assume, for example using the STS Java V2 API, you need to set a trust relationship. In the trust relationship, specify the user to trust. For example:

{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "<Specify the ARN of your IAM user you are using in this code example>"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }

Now you can, for example, run a Java program to invoke the assumeRole operation.

package com.example.sts;

import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.StsException;
import software.amazon.awssdk.services.sts.model.AssumeRoleResponse;
import software.amazon.awssdk.services.sts.model.Credentials;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.time.format.FormatStyle;
import java.util.Locale;

/**
 * To make this code example work, create a Role that you want to assume.
 * Then define a Trust Relationship in the AWS Console. YOu can use this as an example:
 *
 * {
 *   "Version": "2012-10-17",
 *   "Statement": [
 *     {
 *       "Effect": "Allow",
 *       "Principal": {
 *         "AWS": "<Specify the ARN of your IAM user you are using in this code example>"
 *       },
 *       "Action": "sts:AssumeRole"
 *     }
 *   ]
 * }
 *
 *  For more information, see "Editing the Trust Relationship for an Existing Role" in the AWS Directory Service guide.
 */

    public class AssumeRole {
    
        public static void main(String[] args) {
    
             String roleArn = "arn:aws:iam::000540000000:role/s3role" ; // args[0];
            String roleSessionName = "mysession101"; // args[1];
    
            Region region = Region.US_EAST_1;
            StsClient stsClient = StsClient.builder()
                    .region(region)
                    .build();
    
           try {
            AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
                    .roleArn(roleArn)
                    .roleSessionName(roleSessionName)
                    .build();
    
               AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
    
               Credentials myCreds = roleResponse.credentials();
    
               //Display the time when the temp creds expire
               Instant exTime = myCreds.expiration();
    
               // Convert the Instant to readable date
               DateTimeFormatter formatter =
                       DateTimeFormatter.ofLocalizedDateTime( FormatStyle.SHORT )
                               .withLocale( Locale.US)
                               .withZone( ZoneId.systemDefault() );
    
               formatter.format( exTime );
               System.out.println("The temporary credentials expire on " + exTime );
    
           } catch (StsException e) {
               System.err.println(e.getMessage());
               System.exit(1);
           }
    
       }
    }

Without setting the Trust Relationship, this code does not work.

smac2020
  • 9,637
  • 4
  • 24
  • 38