AssumedRole not working as expected?

Question

AssumedRole not working as expected?

Lewenhaupt opened this issue 2 years ago · comments

I'm having problems setting up roles correctly to use aws-vault.

I've set up a new IAM User (aws-vault-test-user) and added the credentials to aws-vault using aws-vault add test.

Added permissions to assume the role (i've set it to wildcards now to troubleshoot):

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::*:role/*"
        }
    ]
}

Created a role that I intend to assume called aws-vault-admin-role-test which uses the managed policy AdminstratorAccess:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

And setup the trust policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Statement1",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                    "arn:aws:iam::<redacted>:root",
                    "arn:aws:iam::<redacted>:user/aws-vault-test-user"
                ]
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

And still, any call I make results in that call getting an AccessDenied. My interpretation of the debug output is that aws-vault successfully assumes the role seeing as it's able to obtain the credentials. But the the role doesn't seem to work? All examples I can find via the docs and via googling shows this same setup (but more limited as they set the account everywhere). Tried debugging the aws-cli call as well but that did not give me anymore info other than a 403 was returned (as expected).

config:

[profile test]
region=eu-central-1
role_arn=arn:aws:iam::<redacted>:role/aws-vault-admin-role-test

aws-vault output:

2022/10/09 18:34:52 aws-vault v6.6.0
2022/10/09 18:34:52 Loading config file /Users/hugolewenhaupt/.aws/config
2022/10/09 18:34:52 Parsing config file /Users/hugolewenhaupt/.aws/config
2022/10/09 18:34:52 [keyring] Considering backends: [keychain]
2022/10/09 18:34:52 [keyring] Querying keychain for service="aws-vault", keychain="aws-vault.keychain"
2022/10/09 18:34:52 [keyring] Found 4 results
2022/10/09 18:34:52 profile test: using stored credentials
2022/10/09 18:34:52 profile test: skipping GetSessionToken because disabled
2022/10/09 18:34:52 Looking up keyring for 'test'
2022/10/09 18:34:52 [keyring] Querying keychain for service="aws-vault", account="test", keychain="aws-vault.keychain"
2022/10/09 18:35:00 [keyring] Found item "aws-vault (test)"
2022/10/09 18:35:00 Setting subprocess env: AWS_DEFAULT_REGION=eu-central-1, AWS_REGION=eu-central-1
2022/10/09 18:35:00 Setting subprocess env: AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY
2022/10/09 18:35:00 Exec command aws s3 ls
2022/10/09 18:35:00 Found executable /Users/hugolewenhaupt/.pyenv/shims/aws

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied

I am using the latest release of AWS Vault
I have provided my .aws/config (redacted if necessary)
I have provided the debug output using aws-vault --debug (redacted if necessary)

Hugo Lewenhaupt · Answer 1 · Mon Oct 10 2022 03:07:35 GMT+0800 (China Standard Time)

I have tried assuming everything manually by following https://aws.amazon.com/premiumsupport/knowledge-center/iam-assume-role-cli/ and I can verify that the temporary credentials I obtain allow me to perform a simple "aws s3 ls". But it still doesn't work via aws-vault.

Patrick Menzel · Answer 2 · Fri Dec 09 2022 01:41:09 GMT+0800 (China Standard Time)

@Lewenhaupt I'd been using aws-vault for the last 6 months for multiple accounts with no issue but I started running into this same issue recently. I've followed the same / similar steps with the same result.

Did you ever figure this out or find a workaround? Thanks in advance! 🙏🏾

Hugo Lewenhaupt · Answer 3 · Fri Dec 09 2022 01:55:26 GMT+0800 (China Standard Time)

@pmmenzel unfortunately not so I've just stuck to using the credentials file for now :/

Patrick Menzel · Answer 4 · Tue Dec 13 2022 02:35:09 GMT+0800 (China Standard Time)

@Lewenhaupt I figured out my issue — I was setting the AWS_ASSUME_ROLE_TTL=2h but assume role chaining is strictly limited to 1 hour. (See role chaining)

Now, I'm not sure if this is the same problem you're having but might be worth checking if you're setting anything like that anywhere.

In my case, I was seeing this error

profile quip-control: skipping GetSessionToken because duration 2h0m0s in profile 'my-profile' is greater than the AWS maximum 1h0m0s for chaining MFA

but I don't see that in your debug output, so might be a separate issue.

Anyway, I hope this helpful!

Hugo Lewenhaupt · Answer 5 · Tue Dec 13 2022 02:36:41 GMT+0800 (China Standard Time)

@pmmenzel interesting, but no I'm not modifying it and I don't see it in the logs either. But thanks for the update!

github-actions · Answer 6 · Sun Jun 11 2023 18:22:04 GMT+0800 (China Standard Time)

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.