I want to grant push access to a specific S3 bucket to a user from another AWS account. The role I'm using works well when assumed as a user from my own account, but I get the following error when I try to access it as a user from another account:
User: arn:aws:iam::1231231231:user/data-upload-user/frank-DataUploadUser-WKWGL8C9VUBK is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::3333333333:role/PicSureDataUploadRole
I've scrambled the account IDs just in case. Everything else is as it is in AWS. Here is an excerpt CFT that shows the role I want to assume and the trust policy:
Resources:
#-------------------------------------------------------------------------------
# Roles & Policies
#-------------------------------------------------------------------------------
DataUploadPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
Roles:
- !Ref DataUploader
PolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Action:
- s3:PutObject*
- s3:DeleteObject*
Resource:
- 'arn:aws:s3:::pic-sure-data-sharing-bucketprototype/*'
DataUploader:
Type: AWS::IAM::Role
Properties:
RoleName: DataUploadRole
Path: '/'
# unit seconds. 12 hours
MaxSessionDuration: 43200
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: 'Allow'
Principal:
AWS:
- 'arn:aws:iam::1231231231:user/data-upload-user/frank-DataUploadUser-WKWGL8C9VUBK'
- !Sub 'arn:aws:iam::${ServiceWorkbenchAccount}:user/data-upload-user/${DataUploadUser}'
Action:
- 'sts:AssumeRole'
Condition:
StringEquals:
sts:ExternalId: !Ref ExternalId
Policies: []
Here's the request I'm making to assume the role:
AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
.roleArn(roleArn)
.roleSessionName("test_session" + System.nanoTime())
.externalId(sharedSecret)
.durationSeconds(60*60) // 1 hour
.build();
AssumeRoleResponse assumeRoleResponse = stsClient.assumeRole(roleRequest);
I can literally take the role from the error message, find that exact role in the AWS console, take the user from the error message, and find that in the role's trust policy. I have no idea where to go from here.