2
votes

I am trying to get temporary credentials to upload files to S3 bucket. I am using credentials of an IAM user to call STS assumeRole method. The Role is created via AWS Cognito. Below is the IAM user Policy and the role Policy,

Error Msg:

POST https://sts.amazonaws.com/ 403 (Forbidden)

User: arn:aws:iam::########:user/iamUser  is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::#########:role/myRole

IAM User Policy

{
 "Statement": [
   {
     "Effect": "Allow",
     "Action": ["s3:GetBucketLocation", "s3:ListAllMyBuckets"],
     "Resource": "arn:aws:s3:::*"
   },
   {
     "Effect": "Allow",
     "Action": ["s3:ListBucket" ],
     "Resource": [ "arn:aws:s3:::myBucket"]
   },
   {
     "Effect": "Allow",
     "Action": [ "s3:PutObject", "s3:GetObject", "s3:DeleteObject", "s3:GetObjectAcl","s3:PutObjectAcl"],
     "Resource": [ "arn:aws:s3:::myBucket/*"]
   },
   {
   "Effect": "Allow",
   "Action": "iam:PassRole",
   "Resource": ["arn:aws:iam::###########:role/myRole"]
   },
   {
   "Effect": "Allow",
   "Action": "sts:AssumeRole",
   "Resource": ["arn:aws:iam::###########:role/myRole"]
   }
 ]
} 

Role Policy

{
 "Version": "2012-10-17",
 "Statement": [
   {
     "Sid": "Stmt1420643359000",
     "Effect": "Allow",
     "Action": [
       "s3:*"
     ],
     "Resource": [
       "arn:aws:s3:::myBucket"
     ]
   }
 ]
} 
2
role policy gives s3 permission, but not STS permission. They are different.BMW

2 Answers

1
votes

Cognito roles are meant to be called with AssumeRoleWithWebIdentity, not AssumeRole.

You indicated this is JavaScript, have you looked at the JavaScript SDK docs for using Cognito?

0
votes

Add below lines in role policy to give the right permission for iam role.

IAM role and IAM users didn't share the permission each other.

{
  "Sid": "Stmt1420676933473",
  "Action": [
    "sts:AssumeRole"
  ],
  "Effect": "Allow",
  "Resource": "arn:aws:iam::###########:role/myRole"
}