AWS Boto3 - User is not authorized to perform sts::AssumeRole on resource?
Solution 1
Finally I found the solution, I have updated the connection object as follows and it works form me -
sts_connection = boto3.client('sts')
assumed_role_object =
sts_connection.assume_role(RoleArn=my_role_arn,RoleSessionName=str(rolid))
We need to pass "sts" in boto3 client object and in sts connection object need to pass your role arn and roleId for you want to create Federated login link.
Solution 2
I also faced the same issue which is mentioned above and i tried the above mentioned suggestions as well but no luck. Then i realized that the AWS account which i used for testing is not authorized. So i added the below in the Trusted Relationship under role summary page in AWS console to authenticate the AWS account.
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
Its started working. I believe it may helpful to new guys to AWS like me.
Related videos on Youtube
Rahul Gaikwad
I am a software engineer ,I like building things to solve problems. This is what engineers do. So it was a natural fit for me to become an engineer.My passion outside of work is listening music.
Updated on June 04, 2022Comments
-
Rahul Gaikwad almost 2 years
I am Creating a URL that Enables Federated Users to Access the AWS Management Console by sts:AssumeRole with below reference by using python Boto3 AWS SDK -
I can successfully assume a role via AWS CLI. But, I do not understand at all why when I use the Boto library and calling the python script by PHP and shell_exe I receive the following error:
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User arn:aws:iam::xxx:user/admin is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxx/(role-name)
Here admin user has full administrative access, and the same script running successfully and giving login link by CLI :-
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/role-name --role-session-name "RoleSession1"
This is the python sample:
#!/usr/bin/python35 import urllib, json import requests import boto3 import urllib.parse import sys import cgi import json sts_connection = boto3.client('sts',aws_access_key_id='my_access_key',aws_secret_access_key='my_secret_key') assumed_role_object = sts_connection.assume_role( RoleArn=my_role_arn, RoleSessionName="AssumeRoleSession" ) json_string_with_temp_credentials = '{' json_string_with_temp_credentials += '"sessionId":"' + assumed_role_object.get('Credentials').get('AccessKeyId') + '",' json_string_with_temp_credentials += '"sessionKey":"' + assumed_role_object.get('Credentials').get('SecretAccessKey') + '",' json_string_with_temp_credentials += '"sessionToken":"' + assumed_role_object.get('Credentials').get('SessionToken') + '"' json_string_with_temp_credentials += '}' request_parameters = "?Action=getSigninToken" request_parameters += "&SessionDuration=1800" request_parameters += "&Session=" + urllib.parse.quote(json_string_with_temp_credentials) request_url = "https://signin.aws.amazon.com/federation" + request_parameters r = requests.get(request_url) signin_token = json.loads(r.text) request_parameters = "?Action=login" request_parameters += "&Issuer=www.whizlabs.com" request_parameters += "&Destination=" + urllib.parse.quote("https://console.aws.amazon.com/") request_parameters += "&SigninToken=" + signin_token["SigninToken"] request_url = "https://signin.aws.amazon.com/federation" + request_parameters print (request_url)
Problem with calling the same script by webserver using PHP shell_exec as follows -:
$output = shell_exec("python3 get_link.py arn=".$arn." 2>&1");
I do not think that the problem is with IAM roles and policies; if it was, AWS CLI would not connect as well.
Any suggestion?
-
John Rotenstein over 5 yearsThe error clearly states the problem. Please show the permissions associated with the
admin
IAM user. Are the User and the Role in the same AWS Account? Also, when you run from the AWS CLI you are using credentials from the credentials file, yet in your code you have hard-coded credentials. It is recommended to never hard-code credentials in source code. If you leave them out, boto3 will use the credentials file, too. (It is quite likely that your app is using different credentials to the AWS CLI.) -
Rahul Gaikwad over 5 yearsThanks John for sharing this, My admin IAM user has full administrative access. I am using the same credentials in boto3 as aws cli . How can I configure it for boto3 credentials file, can you please share some tutorial or something from where I can get hepl.
-
John Rotenstein over 5 yearsIf your
aws
command works, then you already have a credentials file that works. Your code (if run as the same user on the same computer) will automatically find it. So, there is no need to provide the credentials in theboto3.client
command. See: Configuring the AWS CLI - AWS Command Line Interface
-
-
Alfredo Lozano over 4 yearsIs this 'AWS' param the arn from the user that wants to assume role? or is it the arn from the role?