1 Answer
- Newest
- Most votes
- Most comments
2
When you assume a role via web identity, you get temporary credentials (access and secret keys) and use them to perform some actions, which are allowed by IAM policy
If this role assumes another role, temporary credentials change, so you need to use new creds to Execute Lambda (in your case)
Relevant content
- asked 2 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
Hey - I think the way I'm seeing it - my external account is assuming the role.
role includes policy statements 1-5 (which includes lambda trust policy/invoke lambda/web identity policy)
I thought the Role w. attached policy bundle would be enough to provide the web identity the lambda invoke role? I'll double check on my end if I misconfigured something. Right now - it looked like the Lambda resource permissions had to be placed in the web identity policy itself (vs the role).