We Keep Coding

Allow user to assume an IAM role with SSO login

I am trying to allow a user to assume a role on AWS. I attached an assume role policy to a group where the IAM user belongs so that they can assume a particular role. The problem is that the user now uses SSO to login and and is no longer allowed to login into through console with the IAM user credentials, therefore the user is unable to assume the role. How can I configure a user with SSO login to assume an existing IAM role? When i created the Assume role policy I chose both AssumeRole and AssumeRoleWithSaml. But it's still not working.
This is what the AssumeRole policy looks like
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithSAML"
],
"Resource": "arn:aws:iam::xxxxxxxxxxxx:role/service-role/KinesisFirehoseServiceRole--us-east-1-xxxxxxxxxxxxx"
}
]
The Trust relationship for the role looks like this
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]

You need to specifically allow that user / role to be able to assume that role. Right now, the Principal is set to only allow the "firehose service" to assume that role.
The 2nd problem is that you need to specifically allow a SSO account to be able to access it. You'll need to get the ARN of your current SSO user session. To get this you should run aws sts get-caller-identity
You should get something like this
{
"UserId": "BROA5DAM2TACHAA38V9J1:daryl.teo#appetiser.com.au",
"Account": "1234567890",
"Arn": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abe68abec87ew/something.username"
}
Or a 1 liner aws sts get-caller-identity --output text --query Arn
Then take that value and add it to your policy as an additional policy statement.
{
"Version": "2012-10-17",
"Statement":
[
{
"Effect": "Allow",
"Principal":
{
"Service": "firehose.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Effect": "Allow",
"Principal":
{
"AWS": "arn:aws:sts::1234567890:assumed-role/AWSReservedSSO_AWSAdministratorAccess_abe68abec87ew/something.username"
},
"Action": "sts:AssumeRole"
},
]
}
And now you can use:
aws sts assume-role --role-arn=arn:aws:iam::123456823432:role/NameOfYourRole --role-session-name=role-session-name

I managed to enable SSO users to assume a role in the account they were authenticated to by using the following. Note that you'll need to replace ${ACCOUNT_ID}, ${SSO_ROLE_NAME}, and ${ASSUMABLE_ROLE_NAME}. You may, of course, need to repackage the bits.
aws iam create-role --role-name ${ASSUMABLE_ROLE_NAME} --assume-role-policy-document file://policy.json --profile $PROFILE
policy.json:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${ACCOUNT_ID}:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:iam::${ACCOUNT_ID}:role/aws-reserved/sso.amazonaws.com/*/AWSReservedSSO_${SSO_ROLE_NAME}_*",
"arn:aws:iam::${ACCOUNT_ID}:role/aws-reserved/sso.amazonaws.com/AWSReservedSSO_${SSO_ROLE_NAME}_*"
]
}
}
}
]
}

Thanks to everyone that responded. I was able to complete the task using this instructions. google saml sso with AWS

Assumed Role Cannot Assume Another Role

I'm bumping into a role chaining issue when utilizing AWS EKS and I'm not able to identify where the chaining is incorrect.
Role A in account 1 will be assuming role B in account 2.
Role A is an arn:aws:sts::{ACCOUNT-ID-1}:assumed-role/{ROLE-NAME}/{SESSION-NAME}
Role B is a standard: arn:aws:iam::{ACCOUNT-ID-2}:role/{ROLE-NAME}
Role A is an assumed-role because on deployments into EKS, the role is assumed.
The Policy for role A is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:*",
"Resource": "*"
}
]
}
The Trust Policy for B is
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "*"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"aws:PrincipalOrgID": "{ORD}"
},
"ArnLike": {
"aws:PrincipalArn": [
"arn:aws:sts::{ACCOUNT-ID-1}:assumed-role/{ROLE-NAME}/{SESSION-NAME}"
]
}
}
}
]
}
*The aws:PrincipalOrgID match up correctly on validation
The role assumption is conducted in SpringBoot
#Bean
public WebIdentityTokenCredentialsProvider getCredProvider() {
return WebIdentityTokenCredentialsProvider.builder().roleSessionName("SESSION-NAME").build();
}
public AWSCredentialsProvider assumeRole() {
AWSCredentialsProvider credentials = getCredProvider();
AWSSecurityTokenService sts = AWSSecurityTokenServiceClientBuilder.standard()
.withRegion("us-west-1")
.withCredentials(credentials)
.build();
return new STSAssumeRoleSessionCredentialsProvider.Builder("arn:aws:iam::{ACCOUNT-ID-2}:role/{ROLE-NAME}", "role-b-session")
.withStsClient(sts)
.build();
}
This role assumption fails as:
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:
User: arn:aws:sts::{ACCOUNT-ID-1}:assumed-role/{ROLE-NAME}/{SESSION-NAME}
is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{ACCOUNT-ID-2}:role/{ROLE-NAME}
(Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied;
I am not sure why the above would return an AccessDenied based on the configured trust and permission policies as well as the Java code.

Not authorized to perform: sts:AssumeRole on resource

I'm trying to use kubectl to work on a EKS Cluster created from an other user.
I followed the different instructions from the documentation to create the kube config file with the command : aws eks --region eu-central-1 update-kubeconfig --name internal --role-arn arn:aws:iam::xxxxxxxxxx:role/eks_role_internal.
Then when i try to test the configuration (kubectl get svc), i'm getting the error :
could not get token: AccessDenied: User: arn:aws:iam::xxxxxxxxxxxx:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/eks_role_internal
Here is the config for the Policy :
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks_role_internal"
}
]
}
And the trust relationship of the role :
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"eks.amazonaws.com",
"ec2.amazonaws.com"
]
},
"Action": "sts:AssumeRole"
}
]
}

The first reason getting this error message is misconfigured Trusted relationship on a role that is going to be assumed.
I also was seeing this error when the attached condition in the trusted relationship of having MFA wasn't met:
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
AWS cli isn't smart enough to see this case and ask for the MFA code, it just throws that error message.

Grant aws iam role permissions to an iam user in same account

I have an AWS role with s3 Read only permissions. I have already configured aws cli for an AWS user. So I want to use the same user to browse s3 files in aws cli.
what I did is,
Added trust relationship for root user to the role arn:aws:iam::<1234...>:role/test-role so that i can get this to all my iam users
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<1234..>:root",
"Service": "s3.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
then, I added a policy to user to assume above role.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt12345",
"Effect": "Allow",
"Action": [
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::<1234...>:role/test-role"
}
]
}
When i try to list , I get permission denied error.
aws s3 ls
An error occurred (AccessDenied) when calling the ListObjects operation: Access Denied
I made sure that role has full s3 read permission as follows.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:Get*",
"s3:List*"
],
"Resource": "*"
}
]
}
Can someone please guide where the problem is ?

If you're using the CLI you need a profile with the correct credentials.
You should have your credentials in an .aws/credentials file, e.g.:
[myprofile]
aws_access_key_id = ... access key ...
aws_secret_access_key = ... secret access key …
Then you can add a profile for the assumed role to the .aws/config file, e.g.:
[profile test-role]
source_profile=myprofile
role_arn = arn:aws:iam::<1234...>:role/test-role
Finally you set AWS_PROFILE to test-role before running the CLI command
SET AWS_PROFILE=test-role
aws s3 ls
I would have just posted a link to the AWS documentation but this site disapproves of link-only answers.

AWSSecurityTokenServiceException: Acced denied. User is not authorized to perform sts:AssumeRole

I'm new to aws. I want to generate temporary credentials for aws call. And for that I use example from Making Requests Using IAM User Temporary Credentials - AWS SDK for Java
Where I pass
String clientRegion = "<specific region>";
String roleARN = "<ARN from role>";
String roleSessionName = "Just random string"; //<-- maybe I should pass specific SessionName?
String bucketName = "<specific bucket name>";
And when trying assume role
stsClient.assumeRole(roleRequest);
get an error
com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException:
User: arn:aws:iam:::user/ is not authorized to perform:
sts:AssumeRole on resource: arn:aws:iam::<ID>:role/<ROLE_NAME> (Service: AWSSecurityTokenService; Status Code: 403; Error Code:
AccessDenied; Request ID:)
I have a cognito role.
I think the problem in role Trust Relationship settings.
It looks like this:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<iam user ID>:user/<USER_NAME>",
"Federated": "cognito-identity.amazonaws.com"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"cognito-identity.amazonaws.com:aud": "<user pool ID>"
},
"ForAnyValue:StringLike": {
"cognito-identity.amazonaws.com:amr": "authenticated"
}
}
}
]
}
and user policy (This user policy is attached to this Role also):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "<sidId1>",
"Effect": "Allow",
"Action": [
"s3:PutObject",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::<path>*"
]
},
{
"Sid": "sidId2",
"Effect": "Allow",
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
],
"Resource": [
"arn:aws:iam::<ID>:role/<ROLE_NAME>"
]
}
]
}
User policy has two warnings:
What I'm doing wrong?
UPD
I changed role Trust relationship, just delete Condition:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "cognito-identity.amazonaws.com",
"AWS": "arn:aws:iam::<ID>:user/<USER>"
},
"Action": [
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity"
]
}
]
}
and now Access denied error occurred on another line of code:
// Verify that assuming the role worked and the permissions are set correctly
// by getting a set of object keys from the bucket.
ObjectListing objects = s3Client.listObjects(bucketName);
Received error response: com.amazonaws.services.s3.model.AmazonS3Exception: Access Denied (Service: Amazon S3; Status Code: 403; Error Code: AccessDenied; Request ID: ), S3 Extended Request ID:

To be able to assume to an IAM Role, simply the IAM Role assume role policy or trust relation must explicitly allow the principal assuming role into it, which in this case it didn't. It permitted sts:AssumeRoleWithWebIdentity with some conditions which didn't apply to your case.
About the other error, as mentioned by the #user818510 your role doesn't have permission to s3:ListBucket action.