I'm having trouble with an EC2 instance that's running a Docker container to post objects into an S3 bucket. I've set up a role with the necessary permissions and configured the trust relationship for the EC2 instance to assume that role. Here's my trust relationship policy snippet: it allows the EC2 service to assume the role.
Inside the container, I created an .aws/config file with the following content:
[profile some-name]
role_arn = arn:aws:iam::xxxxxxxxxxxxxxx:role/some-role
credential_source = Ec2InstanceMetadata
region = us-east-1
I mounted this configuration folder in my app as:
volumes:
- /root/.aws:/root/.aws
My EC2 instance is using IMDSv2 with a hop count set to 2. However, when I run "aws sts get-caller-identity" inside the container, I get this error:
"An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::xxxxxxxxxxxxxxxxx:assumed-role/some-role/i-0234230d1ce01eff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxxxxxx:role/some-role." Any ideas on why the AssumeRole is being denied?
2 Answers
Also, double-check if there are any other policies applied to your role that might explicitly deny the `sts:AssumeRole` action. Any explicit deny will override the allow permissions, so it's worth looking into!
It seems like the issue might be with your EC2 instance role policy. Besides the trust relationship, you need an explicit policy statement in your instance role that allows the `sts:AssumeRole` action on the resource you're trying to access. Without that, even with the trust relationship set up, you'll still run into access issues.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures