0

I'm trying to remove access to temporarily generated session tokens using STS.

But received following error:

Exception in thread "main" com.amazonaws.services.securitytoken.model.MalformedPolicyDocumentException: Policy document should not specify a principal. (Service: AWSSecurityTokenService; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: c563c2c1-62a8-478e-98a3-f6153ee8df03; Proxy: null)

AssumeRoleRequest roleRequest = 
new AssumeRoleRequest()
.withRoleArn(ROLE_ARN)
.withTags(tags)
.withRoleSessionName(ROLE_SESSION_NAME);
roleRequest.setDurationSeconds(60 * 15);
roleRequest.withPolicy(**INVALIDATE_POLICY**); 
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);

Generated policy based on the documentation:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_disable-perms.html

   {
    "Version": "2012-10-17",
    "Statement": {
     "Principal": {
    "AWS": "arn:aws:sts::ACCOUNT-ID-WITHOUT-HYPHENS:assumed-Role/Mary"
    },
    "Effect": "Deny",
    "Action": "s3:*",
    "Resource": "arn:aws:s3:::EXAMPLE-BUCKET"
    }
    }

link to the session policy reference

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
Tarun Kumar
  • 1
  • 2

1 Answers1

0

That documentation is referring to a resource-based policy (eg a Bucket Policy in S3), whereas you are attempting to attach the policy to an IAM Role.

When attaching a policy to an IAM entity (User, Group, Role), there is no need to specify a Principal because the policy only applies to the entity to which the policy is attached.

John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Thank you for correcting me. Is there any way to disable access to specific assumed role session If I have a ARN like below: arn:aws:sts::594457685993:assumed-role/s3_full_access/tarun – Tarun Kumar Feb 03 '21 at 06:28
  • Anybody with assumed credentials that are still within their validity period can still use the permissions of the role. One option is to **remove permissions from the role**, which will also remove permissions from their assumed credentials. This can also be done based upon when the security credentials were issued. I think your example is from the matching documentation page: [Revoking IAM role temporary security credentials](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html) – John Rotenstein Feb 03 '21 at 06:49
  • It seems like above requirement but This deny policy applies to all users of the specified role, not just those with longer duration console sessions. Seems AWS not supporting to revoke specific assumed role session with the referenced role session name when identity based policy used. – Tarun Kumar Feb 03 '21 at 07:14
  • Correct -- this cannot be done within the Role itself (either they _have_ permissions or they do not). However, it _can_ be done within specific Resource Policies (eg S3 Bucket Policy) as per the example that you copied from the documentation. – John Rotenstein Feb 03 '21 at 07:44
  • Thank you for the info. If some functionality available to revoke temporary session credentials by AccessKeyId, It would be helpful. – Tarun Kumar Feb 03 '21 at 11:37