1

I have created a Lambda function URL secured with IAM_AUTH and have created a user attached to a group containing a policy which can invoke function URLs.

Taking the user's Access Key and Secret Key I can call the function url in Postman with a 200 OK response.

However, I want have my users assume a role to grant them the lambda:InvokeFunctionUrl action.

So, I have created a role with the above policy attached and set the trust relationship to a new user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::012345678901:user/myFunctionUrlUser"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

That user is not in any group and has just one inline policy attached, allowing it to assume any role in my account...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "lambda:InvokeFunctionUrl",
            "Resource": "arn:aws:lambda:*:012345678901:function:*"
        }
    ]
}

However, when I user this user's AccessKey and Secret in postman I get 403 Forbidden.

What am I missing?

Paolo
  • 21,270
  • 6
  • 38
  • 69
Matt W
  • 11,753
  • 25
  • 118
  • 215

1 Answers1

1

You shouldn't be using the credentials of the user directly; instead, you should be assuming the role that you created.

Open a new terminal and export the user's credentials:

$ export AWS_ACCESS_KEY_ID=...
$ export AWS_SECRET_ACCESS_KEY=...

then, assume the IAM role (replace <ROLE-ARN> with the ARN of your role)

$ aws sts assume-role --role-arn <ROLE-ARN> --role-session-name "mysession" --duration-seconds 3600

this will return the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN of the session. Use those in postman.

Paolo
  • 21,270
  • 6
  • 38
  • 69
  • Thank you @paolo (again). After thinking some more in downtime I started to suspect another action was required - the assuming itself. Does this mean the session token will expire and the role assumption will need to be performed repeatedly? – Matt W Oct 01 '22 at 08:58
  • 1
    @MattW that's right. the max duration that you can specify is 12 hours though (43200 seconds) – Paolo Oct 01 '22 at 09:14
  • The only properties that `aws sts get-caller-identity` appears to return are `UserId`, `Account` and `Arn` - none of which are accepted in the Sig4 form in Postman. I used the values returned by the `aws sts assume-role` command, but it leaves me wondering why you mention the `get-caller-identity`? – Matt W Oct 01 '22 at 19:32