- Newest
- Most votes
- Most comments
Hi, I'd strongly suggest you to insert a call to STS GetCallerIdentity just to ensure that you access API with the user / role that you believe to be using. Sometimes, you're under a different identity than you believe: it happened to me a couple of time...
This STS API verb is one of the very rare ones not requiring any credentials to succeed.
If the identity (user, role, etc.) is the one that you believe, then you can start checking the IAM authorizations. Yours seem correct.
Some code examples here: https://www.tabnine.com/code/java/methods/com.amazonaws.services.securitytoken.AWSSecurityTokenService/getCallerIdentity
To setup credentials, I usually use the credentials chain proposed by DefaultCredentialsProvider : see https://docs.aws.amazon.com/sdk-for-java/latest/developer-guide/credentials-chain.html
Best,
Didier
Relevant content
- asked 6 months ago
- asked 3 months ago
- asked 2 years ago
- AWS OFFICIALUpdated 10 months ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hi, yes the getCallerIdentity gives me the staging-user I also looked at these examples https://github.com/awsdocs/aws-doc-sdk-examples/blob/main/javav2/example_code/s3/src/main/java/com/example/s3/CreateJob.java#L50C22-L50C22 but I cant find any difference/whats wrong with my permissions
Edit: Ah, I do get an error Assuming the job-role - what permissions am I missing? Edit2: Ok (https://repost.aws/knowledge-center/iam-assume-role-error) now my staging-user can assume the role but still I get an error creating the job
Have a look at https://docs.aws.amazon.com/AmazonS3/latest/userguide/troubleshooting-batch-operations.html#access-denied : you probably have to add s3:GetObject to auths of staging-user
If not enought, can you 1 by 1 one put action:* for iam, sts and s3 in the auths of staging-user to see in which area you're missing auths ? Then, when you located which one it is, you can start to tighten up again to go back to least privilege.
It would be good if you share your stack trace on this error: it would help locating root cause.
I did as you said. I also created a job using the role via the console - just to check if its works (it does)
My next try would be to assume the role and somehow create an S3ControlClient with the role, but I am not sure if this is even possible (only python unfortunatly https://docs.aws.amazon.com/IAM/latest/UserGuide/example_sts_Scenario_AssumeRoleMfa_section.html)
this is the stacktrace: https://pastebin.com/cnNuzWGB and it occurs on this line of code: s3ControlClient.createJob(jobRequest); thats the whole policy for the staging user { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": [ "s3:", "sts:", "iam:" ], "Resource": "" } ] }
also using the roles credentials and creating the job doesnt work
Maybe I was not clear but your actions should be with '' not just 's3:' but 's3:'. Some for others. I've never seen 's3:' to mean 's3:*'