2
votes

In our application, we access the aws APIs with custom roles. In the developer environment, we provide access Key and secret key in the app.config and it works great.

In the prod environment, we have setup an IAM role with necessary permissions to the custom roles and the EC2 instance is launched with that IAM role. When we try to switch role using the code, then we are getting below error

Message: User: arn:aws:sts::XXXXXXXXX:assumed-role//i-0490fbbb5ea7df6a8 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::XXXXXXXXXX:role/

Code:

AmazonSecurityTokenServiceClient stsClient = new AmazonSecurityTokenServiceClient();
AssumeRoleResponse assumeRoleResponse = await stsClient.AssumeRoleAsync(new AssumeRoleRequest
  {
     RoleArn = roleArn,
     RoleSessionName = sessionName
  });

var sessionCredentials = new SessionAWSCredentials(assumeRoleResponse.Credentials.AccessKeyId, assumeRoleResponse.Credentials.SecretAccessKey, assumeRoleResponse.Credentials.SessionToken);

AmazonS3Client s3Client = new AmazonS3Client(sessionCredentials);

Policy details:

"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::account_id:role/role-name"

Any help on this would be great. Thanks in advance.

1

1 Answers

4
votes

We resolved the issue by adding the below policy in the trusted relationship of the custom role.

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "<ARN of role that has to assume the custom role>"
  },
  "Action": "sts:AssumeRole"
}