I will preface this by saying that the trust policy shows on the UI that the role, /workdocs_api_pull, is listed in the trusted entities can assume this role section for /WorkDocs_API_Developer. Also to note is this is cross accounts.
here is the error:
Traceback (most recent call last):
File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 76, in lambda_handler
get_folder_contents(aws_region)
File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 56, in get_folder_contents
role = assume_role(wd_role_arn, aws_region)
File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 48, in assume_role
RoleSessionName = 'workdocs_session'
File "/var/runtime/botocore/client.py", line 272, in _api_call
return self._make_api_call(operation_name, kwargs)
File "/var/runtime/botocore/client.py", line 576, in _make_api_call
raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::<account_num>:assumed-role/LambdaFullAccessRole/workdocs_api_pull is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account_num>:role/WorkDocs_API_Developer
Here is the code:
import boto3
aws_region ='us-east-1'
wd_role_arn = 'arn:aws:iam::<account_num>:role/WorkDocs_API_Developer'
def temp_keys():
session = boto3.Session()
credentials = session.get_credentials()
keys = credentials.get_frozen_credentials()
return keys
def assume_role(wd_role_arn, aws_region):
creds = temp_keys()
boto_sts = boto3.client('sts',
aws_access_key_id=creds.access_key,
aws_secret_access_key=creds.secret_key,
aws_session_token=creds.token,
region_name=aws_region
)
role_credentials = boto_sts.assume_role(RoleArn = wd_role_arn,
RoleSessionName = 'workdocs_session'
)
return role_credentials.credentials
def lambda_handler(event, context) :
def get_folder_contents(aws_region):
role = assume_role(wd_role_arn, aws_region)
print(role.access_key,'\n',role.secret_key,'\n',role.token)
folder_id = '<folder_id>'
client = boto3.client('workdocs',
aws_access_key_id=role.access_key,
aws_secret_access_key=role.secret_key,
aws_session_token=role.token,
region_name=aws_region
)
folder = client.get_folder(FolderId = folder_id)
print(folder)
return folder
get_folder_contents(aws_region)
How can I get to the bottom of why this isn't working?
The answer in this case was not the trust policy, but the permissions policy. I needed to add stsAssumeRole to the permissions policy for their IAM Role in my account.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.