How enable access to AWS STS AssumeRole?

Question

When I try to call "assume role" method of STS, I'm getting an error. It says that the user is not authorized to perform "AssumeRole" on the resource.

Below is my Group policy:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "some-large-id",

            "Effect": "Allow",

            "Action": [

                "sts:*"

            ],

            "Resource": [

                "*"

            ]

        }

    ]

}

and my role policy:

{

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "another-large-id",

            "Effect": "Allow",

            "Action": [

                "s3:PutObject"

            ],

            "Resource": [

                "arn:aws:s3:::my-bucket-name/*"

            ]

        }

    ]

}

And this how I'm calling:

let policy = {

    "Version": "2012-10-17",

    "Statement": [

        {

            "Sid": "new-custom-id",

            "Effect": "Allow",

            "Action": ["s3:PutObject"],

            "Resource": ["arn:aws:s3:::my-bucket-name/*"]

        }

    ]

};

let params = {

    DurationSeconds: 3600, 

    ExternalId: 'some-value', 

    Policy: JSON.stringify(policy), 

    RoleArn: "arn:aws:iam::NUMBER:role/ROLE-NAME", //Cheked, role is the same that step one

    RoleSessionName: this.makeNewSessionId()

};

let sts = new AWS.STS({ apiVersion: '2012-08-10' });

sts.assumeRole(params, (err, data) => {

    if(err) console.log(err);

    else console.log(data);

});

Where I'm wrong?

Answer 1

You have missed a step, that is to set trust relationship on roles creates in the first step.

Why, because no matter what privileges the user has if the trust relationship is not set STS will refuse the request. Here you can read, how exactly it works. 

Do you want to master AWS, then do check out the AWS Course by Intellipaat.