AWS SSO Required permission to run aws sts get-caller-identity

Question

For an AWS SSO user, when they run

```
`aws sts get-caller-identity`
```

the following error occurs

```
`An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access`
```

I can't find any reference as to what permission the user needs to execute this command.

The user has the following policy:

```
arn:aws:iam::aws:policy/ReadOnlyAccess 
```

and this inline policy:

```
    {
            "Sid": "sts",
            "Effect": "Allow",
            "Action": "sts:GetServiceBearerToken",
            "Resource": "*",
            "Condition": {
                "NumericEquals": {
                    "sts:DurationSeconds": 43200
                },
                "StringEquals": {
                    "sts:AWSServiceName": "codeartifact.amazonaws.com"
                }
            }
        }
    ]
```

Answer

Are you using AWS SSO Permission Sets to assign IAM policies to your users? https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-overview.html. As you suggest you are applying an inline policy I would assume not (since inline policies only apply to IAM users)?

If you *are* using SSO Permission Sets, then the read only permission set `AWSReadOnlyAccess` which uses the AWS Managed Policy `arn:aws:iam::aws:policy/job-function/ViewOnlyAccess` does not specifically include STS:* as a permission. Therefore I would assume that it is being implicitly denied.

If you could clarify it would help greatly.

AWS SSO Required permission to run aws sts get-caller-identity

관련 콘텐츠