AWS 403 Unauthorised Error while trying to create temporary credentials using IAM user

Question

I am trying to get temporary credentials to upload files to S3 bucket. I am using credentials of an IAM user to call STS assumeRole method. The Role is created via AWS Cognito. Below is the IAM user Policy and the role Policy,

Error Msg:

POST https://sts.amazonaws.com/ 403 (Forbidden)

User: arn:aws:iam::########:user/iamUser  is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::#########:role/myRole

IAM User Policy

{
 "Statement": [
   {
     "Effect": "Allow",
     "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
     "Resource": "arn:aws:s3:::*"
   },
   {
     "Effect": "Allow",
     "Action": ["s3:ListBucket" ],
     "Resource": [ "arn:aws:s3:::myBucket"]
   },
   {
     "Effect": "Allow",
     "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectAcl","s3:PutObjectAcl"],
     "Resource": [ "arn:aws:s3:::myBucket/*"]
   },
   {
   "Effect": "Allow",
   "Action": "iam:PassRole",
   "Resource": ["arn:aws:iam::###########:role/myRole"]
   },
   {
   "Effect": "Allow",
   "Action": "sts:AssumeRole",
   "Resource": ["arn:aws:iam::###########:role/myRole"]
   }
 ]
}

Role Policy

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "Stmt1420643359000",
     "Effect": "Allow",
     "Action": [
       "s3:*"
     ],
     "Resource": [
       "arn:aws:s3:::myBucket"
     ]
   }
 ]
}

role policy gives s3 permission, but not STS permission. They are different. — BMW

Bob Kinney Bob Kinney · Accepted Answer · 2015-01-09T00:57:06

Cognito roles are meant to be called with AssumeRoleWithWebIdentity, not AssumeRole.

You indicated this is JavaScript, have you looked at the JavaScript SDK docs for using Cognito?

AWS 403 Unauthorised Error while trying to create temporary credentials using IAM user

2 Answers