I am using go sdk to create a new role and assume it. Both are done with same IAM user. The role trust relationship is as follows:
{
"Statement": [{
"Effect": "Allow",
"Principal": { "AWS": "<an admin user>" },
"Action": [ "sts:AssumeRole" ]
}]
}
Later when trying to add object to a bucket, I can create a session token, but the PutObject operations fails with AccessDenied. The bucket policy is:
{
"Effect": "Allow",
"Action":"s3:*",
"Resource": [
"arn:aws:s3:::<name of the bucket>/*"
],
"Condition": {}
}
If the role you are assuming does not grant access to the S3 bucket via the role policies, you'll need to add the role as a principal to the bucket policy.
There's a handy tool here; https://awspolicygen.s3.amazonaws.com/policygen.html that helps with generating bucket policies. But it should end up looking like:
{
"Effect": "Allow",
"Action":"s3:*",
"Principal": {
"AWS": ["arn:aws:iam::<accountid>:role/<name of assumed role>"]
},
"Resource": [
"arn:aws:s3:::<name of the bucket>/*"
],
"Condition": {}
}