serverless: Unable to assume role in lambda code
This is a Bug Report
Description
My lambda function tries to assume a role using aws sdk like this:
const sts = new aws.STS({ region: process.env.REGION });
const roleName = `${this.env.SERVICE_NAME}_ecr_role`;
sts.assumeRole({
RoleSessionName: roleName,
RoleArn: `arn:aws:iam::${this.env.ACCOUNT_ID}:role/${roleName}`,
Policy: JSON.stringify({
Version: '2012-10-17',
Statement: [
{
Effect: 'Allow',
Action: [
'ecr:GetDownloadUrlForLayer',
'ecr:PutImage',
'ecr:InitiateLayerUpload',
'ecr:UploadLayerPart',
'ecr:CompleteLayerUpload',
'ecr:GetAuthorizationToken',
'ecr:BatchCheckLayerAvailability',
'cloudwatchlogs:*',
],
Resource: `arn:aws:ecr:${this.env.REGION}:${this.env.ACCOUNT_ID}:repository/${this.env.SERVICE_NAME}/test_repository`,
},
],
}),
}).promise()
But it fails on
AccessDenied: Not authorized to perform sts:AssumeRole
at Request.extractError (/var/task/node_modules/aws-sdk/lib/protocol/query.js:40:29)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:105:20)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:668:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:670:12)
at Request.callListeners (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:115:18)
at Request.emit (/var/task/node_modules/aws-sdk/lib/sequential_executor.js:77:10)
at Request.emit (/var/task/node_modules/aws-sdk/lib/request.js:668:14)
at Request.transition (/var/task/node_modules/aws-sdk/lib/request.js:22:10)
at AcceptorStateMachine.runTo (/var/task/node_modules/aws-sdk/lib/state_machine.js:14:12)
at /var/task/node_modules/aws-sdk/lib/state_machine.js:26:10
at Request.<anonymous> (/var/task/node_modules/aws-sdk/lib/request.js:38:9)
Even when my lambda role has configured policy to allow sts:AssumeRole on * (here’s the whole role definition: https://github.com/keboola/developer-portal/blob/master/serverless.yml#L362). Is it necessary to set something more then what I have or is it some kind of bug? Thanks for help.
Additional Data
- Serverless Framework Version you’re using: 1.2
- Operating System: macOS 10.12
About this issue
- Original URL
- State: closed
- Created 7 years ago
- Comments: 16 (4 by maintainers)
Thanks for your check. The error is still the same:
AccessDenied: Not authorized to perform sts:AssumeRole.For me worked something like this: arn:aws:sts::USER_ID:assumed-role/ROLE_NAME/LAMBDA_FUNCTION_NAME
ex. arn:aws:sts::458485127617:assumed-role/testService-Dev-us-east-2-lambdaRole/testService-Dev-GetUserInfo
The role you are trying to assume needs to have a trust policy that allows the role with which your lambda executes to assume it.
Find the role in IAM, click on it, and click on trust relationships/edit trust relationships: the policy needs to include something like
Read more here: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements.html#Principal
Thanks for commenting @Shion093 👍
Could you please provide some more context on your service? How does your
serverless.ymlfile look like? How does the code look like where you want to assume the role?Thanks in advance!