By using AWS re:Post, you agree to the Terms of Use

aws sts assume-role gives AccessDenied

0

I have the following setup:

  • I sign in to Account1
  • I have a role in Account2
  • There is a trust set up between the role and Account1 (requiring MFA)
  • I run AWS CLI in a WSL (Ubuntu) in Windows
  • I have ~/.aws/credentials set up with a named profile for the role

I can assume the role in account 2 in the web console without any problems. I can also do aws s3 ls --profile named-profile successfully. However, if I try to run aws sts assume-role with the role arn, I get an error:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: <my-user-arn> is not authorized to perform: sts:AssumeRole on resource: <the-role-arn>

I assume that I am missing something obvious, but I fail to see what...

3 Answers
1

It sounds like there may be extra configuration in the CLI needed. I will post an example of where I have a similar configuration. Could I confirm a couple things. The sign in to Account 1 is done with IAM credentials that are configured in your CLI profile (profile1), and an mfa device is configured? Here is what I would use as a comparison

[profile profile1]
aws_access_key_id=xxxxxxxxxx
aws_secret_access_key=xxxxxxxxx

[profile profile2]
source_profile=profile1
role_arn=arn:aws:iam::<Account2 ID>:role/<assumed role name>
mfa_serial = arn:aws:iam::<Account1 ID>:mfa/<mfa device name> 

This removes the need to try aws sts assume-role, and just use --profile profile2 when running CLI commands across the assumed role into Account2. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

Another option may be using the aws sts get-session-token process described here https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/ which will get temporary credentials that can be used as environment variables.

answered 7 months ago
0

Hi, thanks for the input.

Yes, the sign in is with IAM credentials, with an MFA device configured.

In the "IAM Account" (account 1) I have a policy like this, which is connected to my user:

{
    "Condition": {
        "Bool": {
            "aws:MultiFactorAuthPresent": "true"
        }
    },
    "Action": [
        "sts:AssumeRole"
    ],
    "Resource": [
        "arn:aws:iam::<account-2>:role/<rolename>"
    ],
    "Effect": "Allow"
}

In the role in account 2, there is a trust configured like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account-1>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}

My ~/.aws/credentials contains data like this:


[default]
aws_access_key_id = <My IAM user's access key id>
aws_secret_access_key = <My IAM user's secred access key>

[profile-name]
role_arn = arn:aws:iam::<account-2>:role/<rolename>
source_profile = default
mfa_serial = arn:aws:iam::<account-1>:mfa/<My IAM user name>

I do have a named profile configured, which works as expected (I can for instance do aws s3 ls --profile profile-name to list S3 buckets in account 2). When I run aws sts assume-role I get the MFA prompt, but then the error.

I need to perform the aws sts assume-role command to harvest parts of the output, which is needed for another (non-AWS) tool. Also, the script will not always run in a context where there is a CLI configuration with named profiles. I am mostly curious about how I can get the error, when there are clearly policies at play that explicitly grant me that particular permission (which in my opinion is proven by the functioning aws s3 ls command, and my ability to assume the role in the web console). I just assume that I am missing something obvious here :-)

answered 7 months ago
0

Hi, so after some verification I believe there's some extra parameters we have to add to the CLI command. The assume role command at the CLI should be in this format

aws sts assume-role --role-arn <role arn in Account2> --role-session-name <reference name for session> --serial-number <mfa virtual device arn> --token-code <one time code from mfa device>

This should output the json blob with temporary role credentials. This doesn't use that second profile, but is required to be able to retrieve the credentials.

answered 7 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions