I'm trying to call generate a temporary token via STS, using the aws-sdk (Typescript). This is the code which tries to obtain the token.
export async function handler() {
const token = await sts
.getFederationToken({
DurationSeconds: 7200,
Name: "test",
Policy: JSON.stringify({
Version: "2012-10-17",
Statement: {
Effect: "Allow",
Action: "ses:*",
Resource: "*",
},
}),
})
.promise();
}
Executing it locally works. Deploying it to a Lambda and running it yields the following error:
{
"errorType": "AccessDenied",
"errorMessage": "Cannot call GetFederationToken with session credentials",
"trace": [
"AccessDenied: Cannot call GetFederationToken with session credentials",
" at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
" at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)",
" at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
" at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
" at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
" at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)",
" at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
]
}
I am fairly certain the function has all the rights that are necessary (sts:*, ses:*, ...). Do Lambdas generally run in a context where getFederationToken is not permitted?
