By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

.Net AWS SDK Caching Profile Credentials When Assuming Role

0

I recently changed the credentials in my default profile to a different AWS account. When I attempt to assume a role, I'm getting this error:

System.AggregateException: 'One or more errors occurred. (User: arn:aws:iam::[OLD ACCOUNT NUMBER]:user/[OLD USER NAME] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[CORRECT 
ACCOUNT NUMBER]:role/[CORRECT ROLE NAME] )

When I run this code, I get the exception from above on the line indicated with // error

public static string GetFromAwsSecretsManager(IConfiguration config)
{
    var stsClient = new AmazonSecurityTokenServiceClient();
    var accountId = stsClient.GetCallerIdentityAsync(new GetCallerIdentityRequest()).Result.Account;
    var roleArn = $"arn:aws:iam::{accountId}:role/{config["RoleToAssume"]}";

    var assumeRoleRequest = new AssumeRoleRequest
    {
        RoleArn = roleArn,
        RoleSessionName = "MySession",
    };

    var assumeRoleResponse = stsClient.AssumeRoleAsync(assumeRoleRequest).Result; // error

    // Extract the temporary credentials from the response
    var credentials = assumeRoleResponse.Credentials;

    // Use the temporary credentials to create a new instance of the AmazonSecretsManagerClient
    var secretsManagerClient =
        new AmazonSecretsManagerClient(credentials, RegionEndpoint.USWest2); // Replace USWest2 with the region you're using

    var secretValueResponse = GetSecretAsync(secretsManagerClient, config["SecretName"]).Result;

    return DecodeString(secretValueResponse);
}

If someone could offer assistance I would appreciate it.

Topics
.NET on AWS
Tags
.NET on AWS
Language
English
rePost-User-0236176
asked a year ago341 views
2 Answers
0

Hello,

Error: (User: arn:aws:iam::[OLD ACCOUNT NUMBER]:user/[OLD USER NAME] is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::[CORRECT ACCOUNT NUMBER]:role/[CORRECT ROLE NAME] ) This error occurs when the user in the OLD Account is not having the required permissions to assume role in CORRECT Account. Please ensure that you have below required permissions to perform Assume role action in cross account.

Whenever an IAM role has to be assumed, two sets of permissions are required. In your case, the user from account A needs to assume the role in account B. So the required permissions for this are:

  • Permission on role in account B: The role that is being assumed should have a trust relationship that specifies which entity can assume it. In your case, the trust relationship of the role in account B should be configured to trust the user in account A.

And here's the example of the trust policy for roleB in account B:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_A:user/userA”
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  • Permission on the assuming entity's side (user in account A) which is assuming the said role should also have an attached permission policy that grants permission to assume the required role.

Here's the example of the permissions required for userA in account A:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionToAssumeroleB”,
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::Account_B:role/roleB”
    }
  ]
}

You can also refer this article for more information: https://repost.aws/knowledge-center/iam-assume-role-error#

Note: We require details that are non-public information for resource specific troubleshooting. Please open a support case with AWS using the following link: https://console.aws.amazon.com/support/home#/case/create

AWS
rePost-User-2643702
answered a year ago
0

My comment to the previous answer got cut off because apparently I type too much. I'll respond here.

Thank you for your detailed response. I understand how the security works and I have had things set as you suggested. I can see that my question was not detailed enough so it might have been confusing. Maybe I can explain a little better. I have a Dev account for AWS and I set my creds for it and can assume the role just fine from both the CLR and from .NET by using the AWS SDK. I changed my credentials to my Test AWS account and this is not working in .NET but it works just fine in the CLR. I don't want my Dev account to assume a role belonging to my Test account.

I want this: 1 - Account on DEV - Dev user assumes Dev role. OR 2 - Account on TEST - Test account assumes Test role

I got part 1 above to work - Dev user assumes Dev role. When I changed my credentials to use part 2, it worked just fine in the CLR. Test account assumed Test role and retrieved Test credentials from secrets manager. However, when I ran the code from .Net, I got an error similar to this:

"Dev User cannot assume Test role."

My credentials are set correctly, as proven by the AWS CLR. In .NET, it is appearing to be CACHING the DEV USER. Otherwise, why would it give that error message? Again, I don't want my Dev user to assume the Test role. I want the Test user to assume the Test role.

By the way, my work around here is to never change from the DEV account and just accept the fact that I can't change it. Once it is set, at least on my machine, will cache the user forever.

rePost-User-0236176
answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content