AWS account:ListRegions 403 forbidden via PHP

112 views Asked by At

I need to list all regions of an AWS account (part of an organization). I plan to use "AccountClient" with "ListRegions".

I connected to the account via a role named 'myrole' witch is 'AdministratorAccess' (so got account:listregion persmission) but I'm getting a 403 response with message :

User: arn:aws:sts::xxx:assumed-role/myrole/session_70429 is not authorize (truncated...)\n AccessDeniedException (client): User: arn:aws:sts::xxx:assumed-role/myrole/session_70429 is not authorized to perform: account:ListRegions

What is wrong in my code ? Why I don't have access to that information with that role ?

<?php 

$stsClient = new StsClient([
    'version'     => 'latest',
    'region'      => 'eu-central-1',
    'credentials' => [
        'key'    => 'xxx',
        'secret' => 'yyy',
    ],
]);

$random = rand(10000, 99999);

$response = $stsClient->assumeRole([
    'RoleArn' => 'myrole',
    'RoleSessionName' => "session_$random",
]);

$credentials = new Credentials(
    $response['Credentials']['AccessKeyId'],
    $response['Credentials']['SecretAccessKey'],
    $response['Credentials']['SessionToken']
);

$client = new AccountClient([
    'version'     => 'latest',
    'region'      => 'eu-central-1',
    'credentials' => $credentials
]);

$r = $client->ListRegions(["AccountId" => '12345678']);

return $r['Regions'];
0

There are 0 answers