I am trying to develop a lambda function, which is implemented in Python, for a user federation.
This lambda function invokes GetOpenIdTokenForDeveloperIdentity first to get a token from an identity pool, then invokes AssumeRoleWithWebIdentity. However, I got an error when the lambda function attempted to invoke AssumeRoleWithWebIdentity.
"An error occurred (AccessDenied) when calling the AssumeRoleWithWebIdentity operation: Not authorized to perform sts:AssumeRoleWithWebIdentity
The trust relationship and policy attached to the role of the lambda function are as follow.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com",
"Federated": "cognito-identity.amazonaws.com"
},
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"lambda:InvokeFunction",
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents",
"cognito-identity:GetOpenIdTokenForDeveloperIdentity",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
I am wondering if I set enough permission to invoke AssumeRoleWithWebIdentity. I would appreciate it if you could give me any suggestion.
Just in case, this is a snippet of the lambda function.
# 'provider_name' is a custom provider name set in an identity pool in AWS
cog_cli = boto3.client('cognito-identity')
cog_id_res = cog_cli.get_open_id_token_for_developer_identity(
IdentityPoolId=os.environ['IDENTITY_POOL_ID'],
Logins={
provider_name: user_id
}
)
sts_cli = boto3.client("sts")
sts_res = sts_cli.assume_role_with_web_identity(
RoleArn=os.environ['TARGET_ROLE_ARN'],
RoleSessionName=user_id,
WebIdentityToken=cog_id_res['Token']
)