Does the service user calling sts's assume_role need access to an s3 bucket in order to make credentials granting access to that bucket?

Asked Mar 07 '22 at 17:53

Active Mar 07 '22 at 17:53

Viewed 40 times

I have a service user for boto3 to make calls to sts. If I want to make temporary credentials for access to a bucket on s3, does the user that makes the call to sts need access to that s3 bucket or is the inline policy below enough? NOTE: This is NOT the policy I pass to assume_role, this is the inline policy that the service user has attached.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Action": [
        "sts:AssumeRole"
      ],
      "Effect": "Allow"
    }
  ]
}

Basically, do I need to include "s3: *" in another statement?

asked Mar 07 '22 at 17:53

Baylor

You need to understand [IAM PassRole](https://stackoverflow.com/questions/63148108/understanding-iam-passrole). – jarmod Mar 07 '22 at 17:57
No, the service user does not need s3 access. The credentials you gain from an assume_role no longer have any ties to the service user / do not know or care what the service user can do. – luk2302 Mar 07 '22 at 17:58

Does the service user calling sts's assume_role need access to an s3 bucket in order to make credentials granting access to that bucket?

0 Answers0