Secondary policy permission grants - Web Identity/Assume Role

Question

Hey!

I have a policy statement for allowing an assumed role via web identity. It works fine. I have a role which this policy is attached to with permissions to invoke a lambda function. I can invoke a Lambda function with this role in AWS.

Here's my question - when invoking a lambda function via the web identity assumed rule (hypothetically let's say GCP) - it tells me that no policy allows me to invoke the lambda function - but that I have assumed the role. When I edit the specific policy for the web identity role assumption to also include the invoke the lamba function - this works fine.

The workaround seems fine - but my understanding is that I shouldn't need it. My role having the invoke lambda policy - and my web identity policy allowing me to assume that role - should be enough -no? Is there a quick refresher on why I need the secondary policy grant in the web identity grant?

Answer

When you assume a role via web identity, you get temporary credentials (access and secret keys) and use them to perform some actions, which are allowed by IAM policy

If this role assumes another role, temporary credentials change, so you need to use new creds to Execute Lambda (in your case)

Secondary policy permission grants - Web Identity/Assume Role

相關內容