JavaScript is the most used programming language used for creating interactive website elements and applications extensively. Node.js is also used when working on the JavaScript program. It is a JavaScript runtime environment, which is used to build server-side web applications as well as an ideal option for data-intensive applications. While AWS permits you to host applications securely. When you are working with node.js along with AWS, you may encounter “Error: is not authorized to perform sts assumerole on resource”.
Check out how the error occurs and how to fix it
How the error pops up
When you try to call STS ‘assume role’ method, you get the error message. This is what you get in return:
the user is not authorized to perform sts:AsumeRole on resource xxxIt appears when you use the following script
Policy in group:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "some-large-id",
"Effect": "Allow",
"Action": [
"sts:*"
],
"Resource": [
"*"
]
}
]
}Policy in role:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "another-large-id",
"Effect": "Allow",
"Action": [
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::my-bucket-name/*"
]
}
]
}In the end, you call it this way:
let policy = {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "new-custom-id",
"Effect": "Allow",
"Action": ["s3:PutObject"],
"Resource": ["arn:aws:s3:::my-bucket-name/*"]
}
]
};
let params = {
DurationSeconds: 3600,
ExternalId: 'some-value',
Policy: JSON.stringify(policy),
RoleArn: "arn:aws:iam::NUMBER:role/ROLE-NAME", //Cheked, role is the same that step one
RoleSessionName: this.makeNewSessionId()
};
let sts = new AWS.STS({ apiVersion: '2012-08-10' });
sts.assumeRole(params, (err, data) => {
if(err) console.log(err);
else console.log(data);
});This is how you land up in trouble. Check out how to fix it
Ways To Fix the Error Message “Error: is not authorized to perform sts assumerole on resource”
This error can be fixed quite simply with amazing solutions. Have a look at them
Option 1
To solve the error, the first thing you need to try is to make sure you established a trust relationship that depends on the role you would like to play like STS Java API, which is not node. It is required to specify trust relationship with the one you trust. Check out the example to understand it simply
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::<AWS Account ID>:user/JohnDoe” //Specify the AWS ARN of your IAM user.
},
"Action": "sts:AssumeRole"
}
]
}In order to invoke the operation assumeRole, run your Java program. For example:
package com.example.sts;
import software.amazon.awssdk.regions.Region;
import software.amazon.awssdk.services.sts.StsClient;
import software.amazon.awssdk.services.sts.model.AssumeRoleRequest;
import software.amazon.awssdk.services.sts.model.StsException;
import software.amazon.awssdk.services.sts.model.AssumeRoleResponse;
import software.amazon.awssdk.services.sts.model.Credentials;
import java.time.Instant;
import java.time.ZoneId;
import java.time.format.DateTimeFormatter;
import java.time.format.FormatStyle;
import java.util.Locale;
/**
* To make this code example work, create a Role that you want to assume.
* Then define a Trust Relationship in the AWS Console. YOu can use this as an example:
*
* {
* "Version": "2012-10-17",
* "Statement": [
* {
* "Effect": "Allow",
* "Principal": {
* "AWS": "<Specify the ARN of your IAM user you are using in this code example>"
* },
* "Action": "sts:AssumeRole"
* }
* ]
* }
*
* For more information, see "Editing the Trust Relationship for an Existing Role" in the AWS Directory Service guide.
*/
public class AssumeRole {
public static void main(String[] args) {
String roleArn = "arn:aws:iam::000540000000:role/s3role" ; // args[0];
String roleSessionName = "mysession101"; // args[1];
Region region = Region.US_EAST_1;
StsClient stsClient = StsClient.builder()
.region(region)
.build();
try {
AssumeRoleRequest roleRequest = AssumeRoleRequest.builder()
.roleArn(roleArn)
.roleSessionName(roleSessionName)
.build();
AssumeRoleResponse roleResponse = stsClient.assumeRole(roleRequest);
Credentials myCreds = roleResponse.credentials();
//Display the time when the temp creds expire
Instant exTime = myCreds.expiration();
// Convert the Instant to readable date
DateTimeFormatter formatter =
DateTimeFormatter.ofLocalizedDateTime( FormatStyle.SHORT )
.withLocale( Locale.US)
.withZone( ZoneId.systemDefault() );
formatter.format( exTime );
System.out.println("The temporary credentials expire on " + exTime );
} catch (StsException e) {
System.err.println(e.getMessage());
System.exit(1);
}
}
}It is an effective option to resolve the error. You must set a trust relationship, or else this will not work.
Option 2
To fix the error message, you need to check the IAM role’s trust relationship policy document to ensure the user you have still exist in it. Another thing you need to confirm is that the IAM user has permission that allows taking responsibility for that role. Check out the below code for a trust relationship
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::1234567890:user/person"
]
},
"Action": "sts:AssumeRole"
}
]
}Conclusion
And here you are with the options to solve the error warning “Error: is not authorized to perform sts assumerole on resource”. You can implement the tactics simply to fix the error.
I wish you all the best!