I'm trying to call the AWS EC2 API (using the C# SDK) by using access delegation as described here: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_cross-account-with-roles.html
I've followed all the steps in the guide, I've set up a role in the secondary account like this:
and I gave it permission to read data from the EC2 API:
Then in the "master" account I've set up a policy that lets me assume the role I created in the secondary account:
And finally I've assigned the policy to the account I'm using to connect to the SDK.
In my C# code, I am perfectly able to assume the credentials, It works without issues. However, when trying to contact the EC2 API I get a generic error that is rather unhelpful:
HttpErrorResponseException: Exception of type 'Amazon.Runtime.Internal.HttpErrorResponseException' was thrown
my code is as follows, you can see where the exception is raised:
private static async Task Test()
{
//Assume credentials
var tokenClient = new AmazonSecurityTokenServiceClient(masterKeyId, masterKeySecret);
var tokenResult = await tokenClient.AssumeRoleAsync(new AssumeRoleRequest()
{
DurationSeconds = 60 * 15,
RoleArn = "arn:aws:iam::522869052018:role/Accesso_API_EC2_da_account_sistemi",
RoleSessionName = "TestSession"
});
//Call EC2 API (this call raises exception)
var ec2client = new Amazon.EC2.AmazonEC2Client(tokenResult.Credentials, RegionEndpoint.EUSouth1);
var response = await ec2client.DescribeInstancesAsync();
}
Can anyone tell me what I'm doing wrong?
EDIT: here is the full stack trace:
Amazon.EC2.AmazonEC2Exception: AWS was not able to validate the provided access credentials
---> Amazon.Runtime.Internal.HttpErrorResponseException: Exception of type 'Amazon.Runtime.Internal.HttpErrorResponseException' was thrown.
at Amazon.Runtime.HttpWebRequestMessage.GetResponseAsync(CancellationToken cancellationToken)
at Amazon.Runtime.Internal.HttpHandler`1.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.Unmarshaller.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.EC2.Internal.AmazonEC2ResponseHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T](IExecutionContext executionContext)
--- End of inner exception stack trace ---
at Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleExceptionStream(IRequestContext requestContext, IWebResponseData httpErrorResponse, HttpErrorResponseException exception, Stream responseStream)
at Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleExceptionAsync(IExecutionContext executionContext, HttpErrorResponseException exception)
at Amazon.Runtime.Internal.ExceptionHandler`1.HandleAsync(IExecutionContext executionContext, Exception exception)
at Amazon.Runtime.Internal.ErrorHandler.ProcessExceptionAsync(IExecutionContext executionContext, Exception exception)
at Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.CredentialsRetriever.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.ErrorCallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.MetricsHandler.InvokeAsync[T](IExecutionContext executionContext)
at AwsCostApiTest.Program.Test()
