2

My application generates this error message:

arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue

How can I see more information about which roles or permissions are attached to this assumed role?

I have tried querying for this with the AWS CLI using aws iam get-user / list-users / get-role / list-roles but neither exist. I looked at querying under STS but couldn't see an appropriate option.

I couldn't find this role in the AWS console.

Buh Buh
  • 7,443
  • 1
  • 34
  • 61
  • 2
    the command in aws cli is `aws iam list-roles`. More can be read here https://awscli.amazonaws.com/v2/documentation/api/latest/reference/iam/list-roles.html. If it's a cross account role, you won't be able to find it in the account you are in. You need to go to the account where there are the resources which you are "querying" – Riz Apr 20 '22 at 15:34
  • @Riz, I tried that command already too. I used the account from the arn. (In the example above 123456789012). I think the problem is that it is not a normal role. It is part of STS somehow? – Buh Buh Apr 20 '22 at 15:42
  • No, as the name suggests, you are assuming a an already existing role, not making another one. All the roles are present in consol(IAM). Also the ones created by lambda/cloudwatch event rule or other services by default can be found in IAM console. – Riz Apr 20 '22 at 15:51

1 Answers1

1

How can I see more information about which roles or permissions are attached to this assumed role?

You can access this information a number of ways, if you know the name of the role you can use the IAM service, here is a boto3 example:

import boto3
iam = boto3.resource('iam')
role = iam.Role('AWSServiceRoleForRDS')

for pol in role.attached_policies.iterator():
    print(pol)

For me this gives:

iam.Policy(arn='arn:aws:iam::aws:policy/aws-service-role/AmazonRDSServiceRolePolicy')

The sole policy I have attached to this role. Obviously, you'll need to substitute the role name you are interested in here in place of 'AWSServiceRoleForRDS'

In general this will print out all the policies attached to the role (to stdout).

In order to do make this query you need to be authenticated as a user or role that has permissions to access the IAM role (or user).

Update: How to find the name of the role from an ARN?

following the aws docs for IAM identifies you can identify the role name from the arn for sts assumed roles they follow this format:

arn:aws:sts::account:assumed-role/role-name/role-session-name

Based on what was posted:

arn:aws:sts::123456789012:assumed-role/my-service-role/aws-sdk-1111111111111 is not authorized to perform: secretsmanager:GetSecretValue

it looks like my-service-role is the name of the assumed role.

Lucas Roberts
  • 1,252
  • 14
  • 17
  • I do not have the name of the role. I have the arn provided in the question but that is a `arn:aws:sts`. The question is how to find the name of the role from that arn? – Buh Buh Apr 20 '22 at 16:02
  • 1
    @BuhBuh I added an update to my answer to address your comment here – Lucas Roberts Apr 20 '22 at 16:07