How to troubleshoot boto3 role assumption

Question

I will preface this by saying that the trust policy shows on the UI that the role, /workdocs_api_pull, is listed in the trusted entities can assume this role section for /WorkDocs_API_Developer. Also to note is this is cross accounts.

here is the error:

Traceback (most recent call last):
  File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 76, in lambda_handler
    get_folder_contents(aws_region)
  File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 56, in get_folder_contents
    role = assume_role(wd_role_arn, aws_region)
  File "/var/task/workdocs_api_pull/bin/dcgs_sds_pull.py", line 48, in assume_role
    RoleSessionName = 'workdocs_session'
  File "/var/runtime/botocore/client.py", line 272, in _api_call
    return self._make_api_call(operation_name, kwargs)
  File "/var/runtime/botocore/client.py", line 576, in _make_api_call
    raise error_class(parsed_response, operation_name)
botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::<account_num>:assumed-role/LambdaFullAccessRole/workdocs_api_pull is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<account_num>:role/WorkDocs_API_Developer

Here is the code:

import boto3

aws_region ='us-east-1'
wd_role_arn = 'arn:aws:iam::<account_num>:role/WorkDocs_API_Developer'

def temp_keys():    
    session = boto3.Session()
    credentials = session.get_credentials()
    keys = credentials.get_frozen_credentials()

    return keys

def assume_role(wd_role_arn, aws_region):
    creds = temp_keys()

    boto_sts = boto3.client('sts',
                          aws_access_key_id=creds.access_key,
                          aws_secret_access_key=creds.secret_key,
                          aws_session_token=creds.token,
                          region_name=aws_region
                          )
    role_credentials = boto_sts.assume_role(RoleArn = wd_role_arn,
                                       RoleSessionName = 'workdocs_session'
                                       )

    return role_credentials.credentials

def lambda_handler(event, context) :  

    def get_folder_contents(aws_region):
        role = assume_role(wd_role_arn, aws_region) 
        print(role.access_key,'\n',role.secret_key,'\n',role.token)
        folder_id = '<folder_id>'
        client = boto3.client('workdocs',
                              aws_access_key_id=role.access_key,
                              aws_secret_access_key=role.secret_key,
                              aws_session_token=role.token,
                              region_name=aws_region
                              )
        folder = client.get_folder(FolderId = folder_id)
        print(folder)
        return folder

    get_folder_contents(aws_region)

How can I get to the bottom of why this isn't working?

Answer 1

The answer in this case was not the trust policy, but the permissions policy. I needed to add stsAssumeRole to the permissions policy for their IAM Role in my account.