Troubleshooting problems with permissions when using the AWS IAM assumeRole function with session

Within my aws-cdk application, I am working on setting up a lambda function to assume a specific role and obtain credentials through aws-sts. These credentials need to include a tenant_id tag.

AWS CDK Code:

Role to be assumed:

const pdfUserRole = new Role(this, "PDFTenantUserRole", {
  assumedBy: new ServicePrincipal("lambda.amazonaws.com").withSessionTags(),
  description: "Role assumed by the pdf service for a user",
});

pdfUserRole.addToPolicy(
  new PolicyStatement({
    actions: ["sts:TagSession"],
    resources: ["*"],
  })
);

Lambda Function definition:

this.pdfGeneratorFunction = new LambdaFunctionTypescript(
  this,
  "Handler",
  {
    tracing: Tracing.PASS_THROUGH,
    entry: getFilePath(import.meta.url, "pdf-generator-function.ts"),
    memorySize: 1536,
    layers: [],
    initialPolicy: [
      new PolicyStatement({
        resources: [pdfUserRole.roleArn],
        actions: ["sts:AssumeRole", "sts:TagSession"],
      }),
    ],
  }
);

This role is supposed to be assumed by the lambda function in the handler code:

const sts = new STSClient({});

const getCredentials = async (tenantId: string) => {
  return sts.send(
    new AssumeRoleCommand({
      RoleArn: userRoleArn,
      RoleSessionName: "PDFGenerator_" + tenantId,
      TransitiveTagKeys: ["tenant_id"],
      Tags: [
        {
          Key: "tenant_id",
          Value: tenantId,
        },
      ],
    })
  );
};

The lambda function is associated with a service role that contains an inline definition from the handler.

I am facing an issue where my lambda function cannot call the AssumeRole:

User: arn:aws:sts::<AWSAccountId>:assumed-role/PDFGeneratorHandlerServiceRole/PDFGeneratorHandler is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<AWSAccountId>:role/PDFGeneratorPDFTenantUserRole

I suspect there might be a principal issue since it seems like it is calling as the service role instead of the lambda. I have already tried adding a trust relationship between the function and the role without success.

Update: The credentials generated by the lambda function are intended to be used within a virtual browser, not by the lambda itself.

Update 2: You can find an example link here: https://github.com/aws-samples/multi-tenant-database-isolation-patterns/blob/2000b9ff4630d181421a8761ffea3f7a9039eacf/patterns/3-pool-compute-db-per-tenant-iam-auth/silo-compute-iam.ts#29

typescriptamazon-web-servicesaws-lambdaamazon-iamaws-cdk

Answer №1

It's important to differentiate between the IAM role of the lambda function and the code within the function itself. The role must have a trust relationship allowing lambda to assume it, as lambda fetches credentials before running your code. Without this role and proper trust relationship, your function will not work.

On the other hand, your code uses the credentials obtained by lambda service when attempting to assume any other roles. This means that subsequent actions with these credentials are independent of the lambda service's principal.

If your function's role only permits lambda to assume it, any attempt to perform an assume role call from within your function will fail. There is no need to manually perform this call since your function already possesses valid credentials for the role. If further role assumptions are necessary, those roles should trust the actual role your lambda runs with, not the lambda service itself.

To establish a trust relationship on the role to be assumed by the lambda function's service role, you can use the following configuration:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<AWSAccountId>:role/PDFGeneratorHandlerServiceRole"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession"
            ]
        }
    ]
}

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

How can I retrieve List<T> from a Razor Page using TypeScript?

Within my ViewModel, I have an Items collection: public class ItemViewModel{ public List<Item> Items {get;set;} } In the Index.cshtml file: @if(Model.Items != null){ <li><a id="item-id-link" href="#" data-items="@Model.Items"> ...

asp.net-mvctypescriptrazor

Angular Material's input field is not correctly binding to localeString

I'm currently utilizing Angular Material 11.2, and I have a specific need to convert the inputted string into US dollars format. My attempts so far include: <input matInput formControlName="test" (onkeyup)="onKeyUpTest($event)" ...

javascriptangulartypescriptangular-materialangular11

Understanding Angular's Scoping Challenges

I have a function that retrieves an array and assigns it to this.usStates. main(){ this.addressService.getState().subscribe( (data:any)=>{ this.usStates = data; if(this.usStates.length===0) { this.notificationServic ...

angulartypescriptscoping

Creating unique components with Angular2 and Ionic

Here is the HTML code for my custom component: <div> {{text}} {{percentLeft}} {{innerColor}} </div> And here is the TypeScript file for my component: import { Component, Input } from '@angular/core'; @Component({ selector: ...

angulartypescriptionic2ionic3

There are a pair of Ionic2 menus; one is currently visible while the other remains hidden

I am having an issue with my Ionic2 app where I have two pages, each with similar menus named XXX.html. One page displays its menu correctly, but the other does not show its menu at all. Is there a limitation in Ionic2 that prevents having two menus on the ...

angulartypescriptionic-frameworkionic2

Unable to locate the type definition file for 'jquery'

After updating my NuGet packages, I encountered an issue where I can no longer compile due to an error related to the bootstrap definition file not being able to find the jquery definition file within my project. Prior to the update, the directory structu ...

jquerytwitter-bootstrapvisual-studiotypescriptnuget-package

What are the best practices for transitioning AWS Lambda functions from Node.js 12 to Node.js 16 without risking any issues?

After receiving an email notification from AWS regarding the deprecation of Node.js 12, I promptly updated the runtime of my Lambda functions. This was done by accessing the AWS Console and navigating to Lambda > Functions > [My Function]. Within the ...

node.jsamazon-web-servicesaws-lambdaaws-amplify

Combining default and named exports in Rollup configuration

Currently, I am in the process of developing a Bluetooth library for Node.js which will be utilizing TypeScript and Rollup. My goal is to allow users to import components from my library in various ways. import Sblendid from "@sblendid/sblendid"; import S ...

javascripttypescriptnpm

Issues encountered while developing a ReactJS application using TypeScript

While attempting to create a React app using the command npx create-react-app client-app --use-npm --typescript, I expected to generate a project with TypeScript files, but instead ended up with index.js and app.js rather than index.tsx and app.tsx. Could ...

reactjstypescriptvisual-studio-codenpx

When selecting the "Open Link in New Tab" option in Chrome, the Angular app's routing will automatically redirect to the login page

I am facing a peculiar issue in my Angular 2 application that I need help troubleshooting. Currently, the routing within my app functions as intended when I click on links to navigate between different components. Here is an example of how the routing path ...

javascriptangulartypescriptroutes

Properly incorporating a git+https dependency

I'm facing an issue while trying to utilize a git+https dependency from Github to create a TypeScript library. I've minimized it to a single file for illustration purposes, but it still doesn't work. Interestingly, using a file dependency fu ...

node.jstypescriptnpm

Executing the outer function from within the inner function of a different outer function

Imagine this scenario: function firstFunction() { console.log("This is the first function") } secondFunction() { thirdFunction() { //call firstFunction inside thirdFunction } } What is the way to invoke firstFunction from thirdFunction? ...

javascripttypescript

There is no record of the property's history

I am embarking on a fresh project utilizing React and TypeScript. One of the hurdles I have encountered is with the Router. Strangely, TypeScript does not recognize the history property, even though it should be accessible as mentioned in the documentation ...

javascriptreactjstypescriptreact-routerfrontend

Utilizing TypeScript: Importing a typed module within a d.ts file (from an npm package)

I am currently working on integrating a definition file into an npm package that has dependencies on React. The specific library in question can be found at https://github.com/eiriklv/react-masonry-component. In my TypeScript project, I have successfully ...

typescriptnpmdefinition

Oops! The system encountered a problem: the property 'modalStack' is not recognized on the type 'NgxSmartModalService'. Maybe you meant to use '_modalStack' instead?

Currently, I'm facing an issue while attempting to run ng build --prod in my Angular 6 project. I have also incorporated the NgxSmartModal package for handling modals. Unfortunately, the build process is failing and I can't seem to figure out why ...

javascripttypescriptangular6

Angular offers pre-determined values that cannot be altered, known as "

I am currently learning Angular and TypeScript, and I came across a task where I need to create an object or something similar that allows me to define a readable but not editable attribute. In Java, I would have achieved this by doing the following: publ ...

typescript

How can Mui typescript be extended with a unique wrapper that includes a `component` property?

I recently created a unique wrapper component: import Box, { BoxProps } from "@mui/material/Box"; type CustomWrapperProps = { id: string } & BoxProps const CustomWrapper = (props: CustomWrapperProps) => { const {id, children, ...rest ...

reactjstypescriptmaterial-ui

typescript scrolling location

In my Angular UI code, I have a component class that includes the following structure: app.component.html //... <div class="banner"> <p-dialog [(visible)]="displayCOI" styleClass="coiDialog" [contentStyle]=" ...

javascriptangulartypescript

Using Angular to declare a variable for reuse within nested HTML elements

Exploring the realm of angular development has sparked my interest, however, I found myself at a roadblock while reading through the documentation. The issue lies in figuring out how to declare a variable that can be reused effectively within nested HTML e ...

angulartypescript

Hermes, the js engine, encountered an issue where it was unable to access the property 'navigate' as it was undefined, resulting

Whenever I switch from the initial screen to the language selection screen, I encounter this error and have exhausted all possible solutions. I attempted to utilize "useNavigation" but still encountered errors, so I resorted to using this method instead. T ...

typescriptreact-nativenavigationtsx