AWS AssumeRole - User is not authorized to perform: sts:AssumeRole on resource

24
votes

I am attempting to call the AssumeRole function using AWS sts in my PHP program since I want to create temporary credentials to allow a user to create an object for an AWS bucket.

Below is the fumction I am calling PHP:

  $sts = StsClient::factory(array(
                'key'    => 'XXXXXXXXXXXXXX',
                'secret' => 'XXXXXXXXXXXXXXXX',
                'token.ttd' => $timetodie
            ));             
  $bucket = "mybucket";             
            $result1 = $sts->assumeRole(array(          
                'RoleArn' => 'arn:aws:iam::123456789012:role/createPic',
                'RoleSessionName' => 'mytest',
                'Policy' => json_encode(array(
                        'Statement' => array(
                             array(
                                  'Sid' => 'Deny attributes',
                                  'Action' => array(
                                  's3:deleteObject', 
                                  's3:deleteBucket'
                                  ),
                                  'Effect' => 'Deny',
                                  'Resource' => array(
                                  "arn:aws:s3:::{$bucket}",
                                  "arn:aws:s3:::{$bucket}/AWSLogs/*"
                                  ),
                                  'Principal' => array(
                                  'AWS' =>   "*"
                                  )
                              ) 
                          )
                      )
                  ),
                'DurationSeconds' => 3600,
             //   'ExternalId' => 'string',
            ));
            
            $credentials  = $result1->get('Credentials');

However, I keep getting the following error:

User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic

Below is my permissions policy for user TVMUser on my AWS console:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"ec2:RunInstances",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":"iam:PassRole",
         "Resource":"arn:aws:iam::791758789361:user/TVMUser"
      },
      {
         "Effect":"Allow",
         "Action":"sts:AssumeRole",
         "Resource":"arn:aws:iam::791758789361:role/createPic"
      }
   ]
}

Below is my role policy for the role createPic:

{
   "Version":"2012-10-17",
   "Statement":[
      {
         "Effect":"Allow",
         "Action":"ec2:RunInstances",
         "Resource":"*"
      },
      {
         "Effect":"Allow",
         "Action":"iam:PassRole",
         "Resource":"arn:aws:iam::791758789361:user/TVMUser"
      },
      {
         "Effect":"Allow",
         "Action":"sts:AssumeRole",
         "Resource":"arn:aws:iam::791758789361:role/createPic"
      }
   ]
}

Does anyone now what I am missing in my AWS policy statements and setup on AWS so I don't get the following error?

User arn:aws:iam::123456789012:user/TVMUser is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/createPic

Am I missing something?

3
phpamazon-web-services
I assume the resource in the permission assumeRole 791758789361 is a typo and you mean 123456789012.bennie j

3 Answers

66
votes

You also need to edit the Trust relationship for the role to allow the account (even if it's the same) to assume the role.

  1. open the role that you want to assume in the console
  2. click on the "Trust Relationships" tab
  3. click on "Edit RelationShip"
  4. add a statement for the account that you want to add (usually you'll only have the ec2 service in the "Trusted Entities") e.g.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/some-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

In this example I had to add the "AWS" principal with the proper account number, the ec2.amazonaws.com Service was already there.

After I've done that I was able to assume the role without issue. Took me literally hours to figure this out, hope that will help someone.

6
votes

I had the same error and spent hours trying to fix it with permissions and trust relationships... but that was not my problem.

I was following this tutorial and I deployed the cluster in US West (Oregon) as specified.

To make it work, I needed to activate STS for this region here.

enter image description here

2
votes

Maybe you should assign your sts region and endpoint:

$sts = StsClient::factory(array(
    //...      
    'region'   => 'us-west-2',                                                                                                                                                                              
    'endpoint' => 'https://sts.us-west-2.amazonaws.com', 
));