I'm looking to create a signed url so i can create an MQTT client. For this, I would need a secret access key, access key id and session Token. As my pods use IRSA, I'm ideally looking to do this using temporary credentials that i retrieve using the aws sdk.
I've tried many things, this being the latest
import v4 from 'aws-signature-v4';
const role = await sts
.assumeRole({
RoleArn: 'arn:aws:iam::my-acc:role/my-role',
RoleSessionName: 'some-random-session-name',
DurationSeconds: 900,
})
.promise();
const url = v4.createPresignedURL(
'GET',
awsConfig.iotDataEndpoint.toLowerCase(),
'/mqtt',
'iotdevicegateway',
'',
{
key: role.Credentials.AccessKeyId,
secret: role.Credentials.SecretAccessKey,
sessionToken: role.Credentials.SessionToken,
protocol: 'wss',
expires: 900,
region: awsConfig.region,
})
which throws
User: arn:aws:sts::my-acc:assumed-role/my-role/token-file-web-identity is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::my-acc:role/my-role
I made sure that arn:aws:sts::my-acc:assumed-role/my-role has the permission to perform sts:AssumeRole and that there is a trust relation ship with the resource.
Any ideas?
As it turns out, the role that you're using for the IRSA also needs to have the permission to assume itsself.
adding the sts:AssumeRole permission to arn:aws:iam::my-acc:role/my-role for arn:aws:iam::my-acc:role/my-role fixed it