I need to list all regions of an AWS account (part of an organization). I plan to use "AccountClient" with "ListRegions".
I connected to the account via a role named 'myrole' witch is 'AdministratorAccess' (so got account:listregion persmission) but I'm getting a 403 response with message :
User: arn:aws:sts::xxx:assumed-role/myrole/session_70429 is not authorize (truncated...)\n AccessDeniedException (client): User: arn:aws:sts::xxx:assumed-role/myrole/session_70429 is not authorized to perform: account:ListRegions
What is wrong in my code ? Why I don't have access to that information with that role ?
<?php
$stsClient = new StsClient([
'version' => 'latest',
'region' => 'eu-central-1',
'credentials' => [
'key' => 'xxx',
'secret' => 'yyy',
],
]);
$random = rand(10000, 99999);
$response = $stsClient->assumeRole([
'RoleArn' => 'myrole',
'RoleSessionName' => "session_$random",
]);
$credentials = new Credentials(
$response['Credentials']['AccessKeyId'],
$response['Credentials']['SecretAccessKey'],
$response['Credentials']['SessionToken']
);
$client = new AccountClient([
'version' => 'latest',
'region' => 'eu-central-1',
'credentials' => $credentials
]);
$r = $client->ListRegions(["AccountId" => '12345678']);
return $r['Regions'];