aws sts assume-role gives AccessDenied
I have the following setup:
- I sign in to Account1
- I have a role in Account2
- There is a trust set up between the role and Account1 (requiring MFA)
- I run AWS CLI in a WSL (Ubuntu) in Windows
- I have ~/.aws/credentials set up with a named profile for the role
I can assume the role in account 2 in the web console without any problems. I can also do aws s3 ls --profile named-profile
successfully. However, if I try to run aws sts assume-role
with the role arn, I get an error:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: <my-user-arn> is not authorized to perform: sts:AssumeRole on resource: <the-role-arn>
I assume that I am missing something obvious, but I fail to see what...
It sounds like there may be extra configuration in the CLI needed. I will post an example of where I have a similar configuration. Could I confirm a couple things. The sign in to Account 1 is done with IAM credentials that are configured in your CLI profile (profile1), and an mfa device is configured? Here is what I would use as a comparison
[profile profile1]
aws_access_key_id=xxxxxxxxxx
aws_secret_access_key=xxxxxxxxx
[profile profile2]
source_profile=profile1
role_arn=arn:aws:iam::<Account2 ID>:role/<assumed role name>
mfa_serial = arn:aws:iam::<Account1 ID>:mfa/<mfa device name>
This removes the need to try aws sts assume-role, and just use --profile profile2 when running CLI commands across the assumed role into Account2. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
Another option may be using the aws sts get-session-token process described here https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/ which will get temporary credentials that can be used as environment variables.
Hi, thanks for the input.
Yes, the sign in is with IAM credentials, with an MFA device configured.
In the "IAM Account" (account 1) I have a policy like this, which is connected to my user:
{
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
},
"Action": [
"sts:AssumeRole"
],
"Resource": [
"arn:aws:iam::<account-2>:role/<rolename>"
],
"Effect": "Allow"
}
In the role in account 2, there is a trust configured like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<account-1>:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
}
]
}
My ~/.aws/credentials
contains data like this:
[default]
aws_access_key_id = <My IAM user's access key id>
aws_secret_access_key = <My IAM user's secred access key>
[profile-name]
role_arn = arn:aws:iam::<account-2>:role/<rolename>
source_profile = default
mfa_serial = arn:aws:iam::<account-1>:mfa/<My IAM user name>
I do have a named profile configured, which works as expected (I can for instance do aws s3 ls --profile profile-name
to list S3 buckets in account 2). When I run aws sts assume-role
I get the MFA prompt, but then the error.
I need to perform the aws sts assume-role
command to harvest parts of the output, which is needed for another (non-AWS) tool. Also, the script will not always run in a context where there is a CLI configuration with named profiles. I am mostly curious about how I can get the error, when there are clearly policies at play that explicitly grant me that particular permission (which in my opinion is proven by the functioning aws s3 ls
command, and my ability to assume the role in the web console). I just assume that I am missing something obvious here :-)
Hi, so after some verification I believe there's some extra parameters we have to add to the CLI command. The assume role command at the CLI should be in this format
aws sts assume-role --role-arn <role arn in Account2> --role-session-name <reference name for session> --serial-number <mfa virtual device arn> --token-code <one time code from mfa device>
This should output the json blob with temporary role credentials. This doesn't use that second profile, but is required to be able to retrieve the credentials.
Relevant questions
Data Pipeline and IAM errors
asked 7 months agoSetup TOTP screen for Hosted UI
asked 2 months agoaws sts assume-role gives AccessDenied
asked 3 months agoHow do you setup cross-account IAM authentication in AWS MSK?
Accepted Answerasked 3 months agoGetting an AccessDeniedException when trying to access (read) a DynamoDB table from a completely different AWS account
asked 2 months agoVerify permissions for the IAM role
asked 2 months agoAssign Groups From Trusted Domain to IAM Role Not Working
asked 2 years agoAcross Account S3 Bucket Get Access Oddities
asked 3 years agoHow do I sign into re:Post using AWS SSO?
Accepted Answerasked 6 months agoGreenGrass is not authorized to assume the Service Role
Accepted Answerasked 2 years ago