Home/ Questions/Error: is not authorized to perform sts assumerole on resource - how to solve it?
Next
Answered
Isabella Li
  • 25
Asked: 2022-05-17T14:05:22+00:00 In:

Error: is not authorized to perform sts assumerole on resource – how to solve it?

  • 25

. Advertisement .

..3..

. Advertisement .

..4..

I have the following javascript code, but I do not know how to find the correct result. Why has this problem occurred, and how can it be solved? Here is the code that I am running:

{
  "Version": "2012-10-17",
  "Statement": [
  {
  "Sid": "some-large-id",
  "Effect": "Allow",
  "Action": [
  "sts:*"
  ],
  "Resource": [
  "*"
  ]
  }
  ]
 }
{
  "Version": "2012-10-17",
  "Statement": [
  {
  "Sid": "another-large-id",
  "Effect": "Allow",
  "Action": [
  "s3:PutObject"
  ],
  "Resource": [
  "arn:aws:s3:::my-bucket-name/*"
  ]
  }
  ]
 }
let policy = {
  "Version": "2012-10-17",
  "Statement": [
  {
  "Sid": "new-custom-id",
  "Effect": "Allow",
  "Action": ["s3:PutObject"],
  "Resource": ["arn:aws:s3:::my-bucket-name/*"]
  }
  ]
 };
 
 let params = {
  DurationSeconds: 3600, 
  ExternalId: 'some-value', 
  Policy: JSON.stringify(policy), 
  RoleArn: "arn:aws:iam::NUMBER:role/ROLE-NAME", //Cheked, role is the same that step one
  RoleSessionName: this.makeNewSessionId()
 };
 let sts = new AWS.STS({ apiVersion: '2012-08-10' });
 
 sts.assumeRole(params, (err, data) => {
  if(err) console.log(err);
  else console.log(data);
 });

And this is the error text I receive:

the user is not authorized to perform sts:AsumeRole on resource xxx
assume role
Share

2 Answers

  1. Best Answer
    Expert

    The cause:

    This error happens because the name of the IAM role in AWS does not match with the corresponding group in directory and the DAG is not listed as principal by the trust relationship of the IAM Role’s AWS settings .

    Solution:

    The trust relationship policy document of the IAM role need to be checked to confirm that your user is  still in it. You also ensure that the IAM user has permissions allow them to take on that role.

    The trust relationship like below:

    {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/person"
]
},
"Action": "sts:AssumeRole"
}
]
}
    • 14

  2. You must establish a trust relationship depending on the role you wish to play, such as using STS Java V2 API (not Node), You must specify who you trust in the trust relationship. Example: 

    {
 "Version": "2012-10-17",
 "Statement": [
 {
 "Effect": "Allow",
 "Principal": {
 "AWS": "arn:aws:iam::<AWS Account ID>:user/JohnDoe” //Specify the AWS ARN of your IAM user. 
 },
 "Action": "sts:AssumeRole"
 }
 ]
 }

    You can now, for instance, execute a Java program that invokes the assumeRole operation. 

    package com.example.sts;

import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.StsException;
import software.amazon.awssdk.services.sts.model.AssumeRoleResponse;
import software.amazon.awssdk.services.sts.model.Credentials;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.time.format.FormatStyle;
import java.util.Locale;

/**
 * To make this code example work, create a Role that you want to assume.
 * Then define a Trust Relationship in the AWS Console. YOu can use this as an example:
 *
 * {
 * "Version": "2012-10-17",
 * "Statement": [
 * {
 * "Effect": "Allow",
 * "Principal": {
 * "AWS": "<Specify the ARN of your IAM user you are using in this code example>"
 * },
 * "Action": "sts:AssumeRole"
 * }
 * ]
 * }
 *
 * For more information, see "Editing the Trust Relationship for an Existing Role" in the AWS Directory Service guide.
 */

public class AssumeRole {

 public static void main(String[] args) {

 String roleArn = "arn:aws:iam::000540000000:role/s3role" ; // args[0];
 String roleSessionName = "mysession101"; // args[1];

 Region region = Region.US_EAST_1;
 StsClient stsClient = StsClient.builder()
 .region(region)
 .build();

 try {
 AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
 .roleArn(roleArn)
 .roleSessionName(roleSessionName)
 .build();

 AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);

 Credentials myCreds = roleResponse.credentials();

 //Display the time when the temp creds expire
 Instant exTime = myCreds.expiration();

 // Convert the Instant to readable date
 DateTimeFormatter formatter =
 DateTimeFormatter.ofLocalizedDateTime( FormatStyle.SHORT )
 .withLocale( Locale.US)
 .withZone( ZoneId.systemDefault() );

 formatter.format( exTime );
 System.out.println("The temporary credentials expire on " + exTime );

 } catch (StsException e) {
 System.err.println(e.getMessage());
 System.exit(1);
 }

 }
}

    This code will not work if the Trust Relationship is not set.

    • 9

Leave an answer

You must login to add an answer.

Need An Account,