By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Access Denied error calling AWS Pinpoint API from EKS cluster

0

I'm trying to send an SMS message from an EKS pod using the Java SDK. I've created a role with policy (shown below), associated that role with a ServiceAccount, and associated the ServiceAccount with my deployment. When I call the SendTextMessage API, I receive the following:

software.amazon.awssdk.services.pinpointsmsvoicev2.model.AccessDeniedException: User: arn:aws:sts:::assumed-role/auth-dev-serviceaccount-role/aws-sdk-java-1703174127711 is not authorized to perform: sms-voice:SendTextMessage because no identity-based policy allows the sms-voice:SendTextMessage action (Service: PinpointSmsVoiceV2, Status Code: 400, Request ID: 569fc680-4d9c-4ad3-a5be-fa0a5b4d62ad)

The policy associated with auth-dev-serviceaccount-role is:

{
    "Statement": [
        {
            "Action": "sms-voice:*",
            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:sms-voice:*:364344555118:*"
                },
                "StringEquals": {
                    "aws:SourceAccount": "364344555118"
                }
            },
            "Effect": "Allow",
            "Resource": "*",
            "Sid": "SMSVoiceFullAccess"
        }
    ],
    "Version": "2012-10-17"
}

Trust relationship looks like:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<accound id>:oidc-provider/oidc.eks.us-east-2.amazonaws.com/id/9E19C2D11165947D17A2934157497968"
            },
            "Action": "sts:AssumeRoleWithWebIdentity"
        }
    ]
}

The spec for the Deployment shows that the service account is associated:

serviceAccountName: auth-dev-serviceaccount
serviceAccount: auth-dev-serviceaccount

and the error message indicates that the correct role (auth-dev-serviceaccount-role) was assumed.

Can anyone see what I'm doing wrong or suggest ways to debug this?

Topics
Security, Identity, & Compliance
Tags
AWS Identity and Access ManagementIAM Policies
Language
English
blevine218
asked 5 months ago215 views
1 Answer
1
Accepted Answer

On inspecting the policy I observed that you added the below “Condition” element to “sms-voice:*” on all for resources. But Pinpoint SMS Voice has no service-specific context keys that can be used in the Condition element of policy statements.

Remove the below part in Role policy:

"Condition": {
    "ArnLike": {
        "aws:SourceArn": "arn:aws:sms-voice:*:364344555118:*"
    },
    "StringEquals": {
        "aws:SourceAccount": "364344555118"
    }
}

Upon removing the above “Condition” element in the policy, the IAM identity will be able to access the pinpoint resources. Thus, I request you to remove the above “Condition” element in your role policy and check if it works for you as well.

AWS
Mihir G
answered 5 months ago
profile picture
EXPERT
MaxCloud
reviewed 4 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content