By using AWS re:Post, you agree to the AWS re:Post Terms of Use

AccessDeniedException: User: role is not authorized to perform: iam:PassRole on resource because no session policy allows the iam:PassRole action

0

I tried to create OTA job using CreateOTAUpdateCommand form AWS SDK for JavaScript. I created the role as described here https://docs.aws.amazon.com/freertos/latest/userguide/create-service-role.html and used this role during creation of Cognito Identity. This identity is created for unauthenticated access. As a result I'm receiving this exception: "AccessDeniedException: User: arn:aws:sts::<account_id>:assumed-role/ota-job-role/CognitoIdentityCredentials is not authorized to perform: iam:PassRole on resource: arn:aws:iam::<account_id>:role/ota-job-role because no session policy allows the iam:PassRole action", whereas iam:PassRole and iam:GetRole are present in the policy attached to this role. What am I doing wrong?

The code I used:

  const input = { 
    otaUpdateId: "AFR_OTA-test-update", 
    description: "Update job",
    targets: targets,
    protocols: [ 
      "MQTT" ,
    ],
    files: [ 
      { 
        fileName: fileNameOnTarget,
        fileType: fileType,
        fileVersion: "1.0.0",
        fileLocation: { 
          s3Location: { // S3Location
            bucket: bucket,
            key: fileName,
            version: "1.0.0",
          },
        },
      },
    ],
    roleArn: "arn:aws:iam::<account_id>:role/ota-job-role",
  };
  try {
    const command = new CreateOTAUpdateCommand(input);
    var response = await client.send(command);
  } catch (e) {
    console.log(e)
  }

I

asked 6 months ago410 views
1 Answer
5
Accepted Answer

Hello,

The issue lies with the unauthenticated access for Cognito Identity and the iam:PassRole action in your policy.

Unauthenticated Access:

  • You created a Cognito Identity for unauthenticated access, but the ota-job-role likely requires authentication to be assumed.

Policy Limitation:

  • While your policy includes iam:PassRole and iam:GetRole, it might not allow passing the role to an unauthenticated user.

Possible Solutions:

  • Authenticate Users: If your use case allows, consider implementing user authentication for Cognito Identity to assume the ota-job-role.

  • Adjust Policy: Modify the policy attached to ota-job-role to explicitly allow the iam:PassRole action for the principal of your Cognito Identity (even if unauthenticated). However, this approach weakens security, so proceed with caution.

  • Managed Authentication: Explore using AWS SDK for JavaScript features like CognitoUser class for user authentication before creating the OTA job. This ensures proper credentials are used for assuming the role.

Review the documentation for CreateOTAUpdateCommand (https://docs.aws.amazon.com/iot/latest/apireference/API_CreateOTAUpdate.html) .

profile picture
EXPERT
answered 6 months ago
EXPERT
reviewed 6 months ago
EXPERT
reviewed 6 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content