- Newest
- Most votes
- Most comments
Hello,
Thank you for querying in this forum.
From the descriptions, I understand that you are using a trust policy with a condition key "aws:TokenIssueTime" for an IAM role where an IAM user will be assuming that role. The IAM user will be logging into the system with the MFA credentials and after obtaining the required credentials, the IAM user is assuming the role. But, you are facing an issue when you are trying to use the below trust policy along with the condition key "aws:TokenIssueTime".
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:user/bla-bla"
},
"Action": "sts:AssumeRole",
"Condition": {
"Null": {
"aws:TokenIssueTime": "false"
}
}
}
]
}
Firstly, we can use the condition key "aws:TokenIssueTime"[1] to compare the date and time that temporary security credentials were issued with the date and time that you specify in the policy.
Availability – This key is included in the request context only when the principal uses temporary credentials to make the request. The key is not present in AWS CLI, AWS API, or AWS SDK requests that are made using access keys.
Data type – Date
Value type – Single-valued
We can use a Null condition operator[2] to check if a condition key is absent at the time of authorization. In the policy statement, we can use either true (the key doesn't exist — it is null) or false (the key exists and its value is not null).
For example, you can use this condition operator to determine whether a user is using their own credentials for the operation or temporary credentials. If the user is using temporary credentials, then the key aws:TokenIssueTime exists and has a value. The following example shows a condition that states that the user must not be using temporary credentials (the key must not exist) for the user to use the Amazon EC2 API.
Example policy :-
{
"Version": "2012-10-17",
"Statement":{
"Action":"ec2:*",
"Effect":"Allow",
"Resource":"*",
"Condition":{"Null":{"aws:TokenIssueTime":"true"}}
}
}
I have replicated the entire scenario at my end by enforcing a similar trust policy as yours to one the IAM role and by assuming the IAM role from an IAM user after enforcing the MFA to the use. The condition key "aws:TokenIssueTime" is working as expected as stated above in my lab environment.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:user/abc"
},
"Action": "sts:AssumeRole",
"Condition": {
"Null": {
"aws:TokenIssueTime": "false"
}
}
}
]
}
If you are using CLI to perform the assume role operation, please make sure that you are using the below commands[3][4] -
aws sts get-session-token --serial-number arn-of-the-mfa-device --token-code code-from-token
You receive an output with temporary credentials and an expiration time. Configure the required credentials in the CLI from the output obtained using above command and you can perform the AssumeRole operation using the below command.
aws sts assume-role --role-arn <value> --role-session-name <value>
You can also check the CloudTrail event "AssumeRole" API call to check whether the token is being passed when you are performing the operation in the "responseElements" field.
Hence, to troubleshoot the issue further, we would require more information about the existing Setup that you're currently using. In case the issue still persists, I would request you open a support case ticket, where we can go deep dive into the resources to find out the actual root cause.
Thank you for your interest in re:Post community. Have a great day!
REFERENCES :
[3] https://repost.aws/knowledge-center/authenticate-mfa-cli
[4] https://docs.aws.amazon.com/cli/latest/reference/sts/assume-role.html
Relevant content
- asked 3 years ago
- Accepted Answerasked 2 years ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated 3 months ago
- AWS OFFICIALUpdated 2 months ago