By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Secondary policy permission grants - Web Identity/Assume Role

0

Hey!

I have a policy statement for allowing an assumed role via web identity. It works fine. I have a role which this policy is attached to with permissions to invoke a lambda function. I can invoke a Lambda function with this role in AWS.

Here's my question - when invoking a lambda function via the web identity assumed rule (hypothetically let's say GCP) - it tells me that no policy allows me to invoke the lambda function - but that I have assumed the role. When I edit the specific policy for the web identity role assumption to also include the invoke the lamba function - this works fine.

The workaround seems fine - but my understanding is that I shouldn't need it. My role having the invoke lambda policy - and my web identity policy allowing me to assume that role - should be enough -no? Is there a quick refresher on why I need the secondary policy grant in the web identity grant?

Topics
ServerlessComputeSecurity, Identity, & Compliance
Tags
AWS LambdaIAM PoliciesMulticloud
Language
English
Mike Goodstein
asked a month ago88 views
1 Answer
2

When you assume a role via web identity, you get temporary credentials (access and secret keys) and use them to perform some actions, which are allowed by IAM policy

If this role assumes another role, temporary credentials change, so you need to use new creds to Execute Lambda (in your case)

profile picture
EXPERT
Oleksii Bebych
answered a month ago
profile picture
EXPERT
Artem
reviewed a month ago
profile picture
EXPERT
Osvaldo Marte
reviewed a month ago
  • Mike Goodstein
    a month ago

    Hey - I think the way I'm seeing it - my external account is assuming the role.

    role includes policy statements 1-5 (which includes lambda trust policy/invoke lambda/web identity policy)

    I thought the Role w. attached policy bundle would be enough to provide the web identity the lambda invoke role? I'll double check on my end if I misconfigured something. Right now - it looked like the Lambda resource permissions had to be placed in the web identity policy itself (vs the role).

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content