By trying to get s3 object(of account1) from ec2 instance(of account2), the Sts session creation is failed with error: "User arn:aws:sts::99 *804963:assumed-role/i-9B6331541002 f46-us-west is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::85*****15:role/MyS3DataReadRole
To provide access to fetch s3 object:
The only suspicious point here is "assumed-role" instead of "role" in the user instance arn. AFAIK The user arn is calculated automatically by AWS SDK automatically, but I can't understand why "assumed-" prefix is added before the "role". Ie in error message is mentioned: "arn:aws:sts::99 804963:assumed-role/i-9B6331541002 f46-us-west" but in trust relationship I've provided correct arn, ie "arn:aws:sts::99 804963:role/i-9B6331541002 f46-us-west"
You also have to create the assume role policy and attach it to the EC2 instance role (99*804963) so that EC2 instance role can have permissions to assume the role (85*****15:role) which has read permissions for the S3 object.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::85*****15:role/MyS3DataReadRole"
}
]
}
Please update the account id in the above policy with actual one.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.