AWS SSO Required permission to run aws sts get-caller-identity
For an AWS SSO user, when they run
`aws sts get-caller-identity`
the following error occurs
`An error occurred (ForbiddenException) when calling the GetRoleCredentials operation: No access`
I can't find any reference as to what permission the user needs to execute this command.
The user has the following policy:
arn:aws:iam::aws:policy/ReadOnlyAccess
and this inline policy:
{
"Sid": "sts",
"Effect": "Allow",
"Action": "sts:GetServiceBearerToken",
"Resource": "*",
"Condition": {
"NumericEquals": {
"sts:DurationSeconds": 43200
},
"StringEquals": {
"sts:AWSServiceName": "codeartifact.amazonaws.com"
}
}
}
]
Are you using AWS SSO Permission Sets to assign IAM policies to your users? https://docs.aws.amazon.com/singlesignon/latest/userguide/iam-auth-access-overview.html. As you suggest you are applying an inline policy I would assume not (since inline policies only apply to IAM users)?
If you are using SSO Permission Sets, then the read only permission set AWSReadOnlyAccess which uses the AWS Managed Policy arn:aws:iam::aws:policy/job-function/ViewOnlyAccess does not specifically include STS:* as a permission. Therefore I would assume that it is being implicitly denied.
If you could clarify it would help greatly.
Relevant questions
AWS SSO Required permission to run aws sts get-caller-identity
asked 5 months agoAWS SSO user with AdministratorAccess cannot access root owned resources
asked 4 months agoAWS SSO ForbiddenException
asked 2 months agoAWS SSO EC2 RDP
asked 2 months agoRestrictions on login using IP address when using AWS SSO cloud application.
asked 24 days agoAWS Service Catalog. Grant SSO Users to the Portfolio
asked 2 months agoAWS SSO ERROR 403 with AD connector
asked 15 days agoSSO users get error when trying to register an MFA device "It's not you, it's us"
asked 2 months agoMigrate IAM Users to AWS SSO
asked 24 days agoAws SSO User Portal Branding/Ui Options
asked 25 days ago