python boto3 error: Not authorized to perform assumed role on resource

1
votes

I am trying to move files from a S3 bucket in one account(source account) to S3 bucket in another account(destination account) I am using sagemaker notebook so I have a sagemaker role. I also have a role in my team account which has full s3 access and fullsagemaker access and in the trust relationship i have given the destination account role arn and sagemaker role arn. The destination account also has my team role arn and sagemaker role arn in its trust policy.

I am trying to assume my team role and then I will assume the destination role to copy files.

    import boto3
    sts_client = boto3.client('sts')
assumed_teamrole_object = sts_client.assume_role(DurationSeconds=1800,
                                                 RoleArn='myteamrole',
                                                 RoleSessionName='test1')
    assumed_destrole_object = sts_client.assume_role(DurationSeconds=1800,
                                                 ExternalId='externalid provided by destination account',
                                                 RoleArn='destination account role',
                                                 RoleSessionName='test2')

The first three lines execute fine. when I try to assume the destination role i am getting the error

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::role/AmazonSageMaker-ExecutionRole-/SageMaker is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::destinationrole

Is there something I am missing, what am i doing wrong. Please help. I dont have any user , it is just roles

Thanks!

1
pythonamazon-web-servicesamazon-s3boto3
What are the permissions on AmazonSageMaker-ExecutionRole- role? - Marcin
@Marcin actually there are no permissions on the sagemaker-excution role. Principal": { "Service": "sagemaker.amazonaws.com" }, "Action": "sts:AssumeRole". this is all I have in the trust relationship for this role - anaz8
@Marcin in the sagemaker execution policy I have"Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:ListBucket" ], "Resource": [ "arn:aws:s3:::*" ] } ] } - anaz8

1 Answers

1
votes

The error message indicates that you are missing sts:AssumeRole permissions. Your comments indicate that this is the case, as you have only S3 permission for now.

To rectify this, you can add inline policy to AmazonSageMaker-ExecutionRole role, in the form of:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

You can further limit the Resource to only arn:aws:iam::destinationrole. But for tests you can try with * as Resource.