With the v2 SDK, I can assume a role and get temporary credentials for an S3 client using the following code (wrapped in an async function, error handling removed for brevity):
EDIT: Original sample code appears further down. Here is the most simplified version I can create, which shows both v2 and v3 examples, where the v2 example works, and the v3 example fails with AccessDenied.
New Example:
const STS = require("aws-sdk/clients/sts"); // v2
const { AssumeRoleCommand, STSClient } = require("@aws-sdk/client-sts"); // v3
process.env.AWS_ACCESS_KEY_ID="<my account 1 aws access key id>";
process.env.AWS_SECRET_ACCESS_KEY="<my account 1 aws secret access key>";
const region = "us-east-1";
const RoleArn = "arn:aws:iam::<account 2>:role/<role>";
async function v2example() {
const stsClient = new STS({
region
});
const command = {
RoleArn,
RoleSessionName: 'sessionV2'
};
const assumeRoleResponse = await stsClient.assumeRole(command).promise();
console.log(assumeRoleResponse);
}
async function v3example() {
const stsClient = new STSClient({
region
});
const command = new AssumeRoleCommand({
RoleArn,
RoleSessionName: 'sessionV3'
});
const assumeRoleResponse = await stsClient.send(command);
console.log(assumeRoleResponse);
}
v2example(); // success
v3example(); // AccessDenied
Original Example:
const region = "us-east-1";
const RoleArn = "<My_Role_Arn_With_S3_Permissions>";
// Get the user or system credentials from default provider chain
// (env, sso credentials, ini files, ECS, process, Token File Web ID, or EC2 Metadata)
const chain = new AWS.CredentialProviderChain();
const credentials = await chain.resolvePromise();
AWS.config.credentials = credentials;
// Create STS client using the default credentials
const stsClient = new STS({
credentials,
region
});
// Assume a different role and get temp credentials for S3 access
const roleToAssume = {
RoleArn,
RoleSessionName: 'session1',
Duration: 900
};
const roleData = await stsClient.assumeRole(roleToAssume).promise();
const tempCredentials = stsClient.credentialsFrom(roleData, new AWS.TemporaryCredentials(roleToAssume));
// Create S3 client using the temporary credentials
const s3Client = new S3({
credentials: tempCredentials,
region,
signatureVersion: 'v4'
});
However, the following code, which I think is roughly the equivalent for v3 (up to assuming the role... I'm stuck there), gives an error "AccessDenied: User: <my user Arn> is not authorized to perform: sts:AssumeRole on resource: <RoleArn>". But I know from the working v2 code that my user is authorized to perform sts:AssumeRole, so what could the problem be?
const region = "us-east-1";
const RoleArn = "<My_Role_Arn_With_S3_Permissions>";
// Get the user or system credentials from default provider chain
// (env, sso credentials, ini files, ECS, process, Token File Web ID, or EC2 Metadata)
const credentials = fromNodeProviderChain();
// Create STS client using the default credentials
const stsClient = new STSClient({
credentials,
region
});
// Assume a different role and get temp credentials for S3 access
const roleToAssume = {
RoleArn,
RoleSessionName: 'session1',
Duration: 900
};
const roleCommand = new AssumeRoleCommand(roleToAssume);
const assumeRoleResponse = await stsClient.send(roleCommand);
Any suggestions? This is preventing me from being able to move from the v2 SDK to the v3 SDK. Thanks.
EDIT: My user is a member of a group which has the policy that grants the STS AssumeRole action. Is there anything I need to do with regards to that group information when creating the STSClient? Also, do I need to explicitly disable MFA for my user in order for this to work? I'm just wondering if there's some difference between v2 and v3 with regards to how MFA or group membership info is recognized?
Unfortunately, I've already reviewed that and it's essentially what I'm already doing.