IAM abac tag problems: User is not authorized to perform: execute-api:Invoke on resource

I'm trying to call an api-gateway endpoint from my web app but getting the error:

User: arn:aws:sts::<number>:assumed-role/my_identity_pool_auth_role/CognitoIdentityCredentials is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:eu-west-2:********9277:<api-gateway id>/test/GET/theme

I have a user pool set up in which I've created two groups, one of which I'd like to give access to execute the endpoint mentioned above.

The user pool group has an iam role attached with no permissions, but the following trust relationships:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "<identity pool id>"
                }
            }
        }
    ]
}

and a tag with:

key: user_role
value: end_user_basic

The identity pool auth role has permissions and trust relationship below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "cognito-identity:*",
                "mobileanalytics:PutEvents",
                "cognito-sync:*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": "execute-api:Invoke",
            "Resource": "arn:aws:execute-api:eu-west-2:*:<api-gateway id>/*/GET/theme",
            "Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/user_role": "end_user_basic"
                }
            }
        }
    ]
}

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "cognito-identity.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRoleWithWebIdentity",
                "sts:TagSession"
            ],
            "Condition": {
                "StringEquals": {
                    "cognito-identity.amazonaws.com:aud": "<identity pool id>"
                },
                "ForAnyValue:StringLike": {
                    "cognito-identity.amazonaws.com:amr": "authenticated"
                }
            }
        }
    ]
}

In the identity pool settings, I have 'authenticated role selection' set to 'user default role' and 'attributes for access control' set to 'use custom mappings' with the below:

Tag key for principal: user_role
Attribute name: user_role

And when I make the request, my id token has a payload something like below:

{
  "sub": ...,
  "cognito:groups": [
    "<the correct cognito user group>"
  ],
  "iss": ...,
  "cognito:username": ...,
  "origin_jti": ...,
  "cognito:roles": [
    "<the correct iam role with tag attached>"
  ],
  "aud": ...,
  "event_id": ...,
  "token_use": "id",
  "auth_time": ...,
  "exp": ...,
  "iat": ...,
  "jti": ...,
  "email": ...
}

so the user belongs to the correct group with the correct iam role applied.

I'm new to AWS so I'm sure i'm missing something daft but if somebody could point me in the right direction I'd be grateful.

As an aside, if I remove the condition below:

"Condition": {
                "StringEquals": {
                    "aws:PrincipalTag/user_role": "end_user_basic"
                }
            }

from the identity pool auth role, I can make the api call successfully

Topics

Serverless Compute Security, Identity, & Compliance Front-End Web & Mobile Networking & Content Delivery

Relevant content

artifactory-user is not authorized to perform: amplify:CreateBackendEnvironment on resource
Accepted Answer
rePost-User-4652092
asked 3 months ago
User: anonymous is not authorized to perform: execute-api:Invoke
Accepted Answer
Oksana
asked 3 months ago
Getting "User: anonymous is not authorized to perform: es:ESHttpGet because no resource-based policy allows the es:ESHttpGet action"
I on Real Estate
asked a month ago
User: anonymous is not authorized to perform: execute-api:Invoke on resource: arn:aws:execute-api:us-east-1:**xxxx
possebon
asked a year ago
Why do I see the "User is not authorized to perform: fsx:action" error on my FSx for ONTAP file system?
AWS OFFICIALUpdated 7 months ago
Why is my API Gateway proxy resource with a Lambda authorizer that has caching activated returning HTTP 403 "User is not authorized to access this resource" errors?
AWS OFFICIALUpdated 2 years ago
I added tags to my AWS resources, but my IAM policy isn't working. Which AWS services support authorization-based tags?
AWS OFFICIALUpdated 2 years ago
How do I troubleshoot the "User/IAM role X is not authorized to perform Y on resource Z" error in AWS Glue?
AWS OFFICIALUpdated a year ago
Deploying a web app to an AWS IoT Greengrass Core device - Part 2
EXPERT
MassimilianoAWS
published a year ago
Deploying a web app to an AWS IoT Greengrass Core device - Part 1
EXPERT
MassimilianoAWS
published a year ago