Search code examples
amazon-web-servicesamazon-s3aws-lambdaamazon-iamassume-role

AWS lambda to assume role in the same aws account to access S3

I have created a role to get objects from s3 bucket as below:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "S3GetObjects",
            "Effect": "Allow",
            "Action": [
                "s3:Get*"
            ],
            "Resource": [
                "arn:aws:s3:::cat-pics",
                "arn:aws:s3:::cat-pics/"
            ]
        }
    ]
}

Next, created a lambda function to assume this role. For that added the following statement to the basic lambda execution role which is attached to lambda:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::same-account-id:role/AssumeS3RoleDemo"
        }
    ]
}

However, the following code

import json
import boto3

def lambda_handler(event, context):
    print("this test should be printed")
    # create an STS client object that represents a live connection to the 
    # STS service
    sts_client = boto3.client('sts')

    # Call the assume_role method of the STSConnection object and pass the role
    # ARN and a role session name.
    assumed_role_object=sts_client.assume_role(
        RoleArn="arn:aws:iam::same-account-id:role/AssumeS3RoleDemo",
        RoleSessionName="AssumeRoleSession"
    )

    # From the response that contains the assumed role, get the temporary 
    # credentials that can be used to make subsequent API calls
    credentials=assumed_role_object['Credentials']

    print("credentials are")
    print(credentials)

does not work. I keep getting the following error:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::same-account-id:assumed-role/lambda_basic_execution_new/AssumeRoleDemo is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::same-account-id:role/AssumeS3RoleDemo: ClientError

Here AssumeRoleDemo is name of the lambda function and AssumeS3RoleDemo is the role name which has access to S3.

Is it possible to assume role in the same account ? Is so, what step am I missing here ? Please let me know.

thanks

Solution

  • You don't need to use STS and AssumeRole in your lambda code to access S3 if both are in the same account, if role attached to lambda has policy allowing access on S3 it will work just fine.

    But if you really want to do it, you need to make sure your role AssumeS3RoleDemo trust policy allow lambda execution role to assume it.

    Below is a link to one example using two different accounts, but the mechanism is the same using just one account:
    https://aws.amazon.com/premiumsupport/knowledge-center/lambda-function-assume-iam-role/