AWS AssumeRole authorization not working

Question

I am attempting to call the AssumeRole function using AWS sts in my PHP program since I want to create temporary credentials to allow a user to create an object for an AWS b

Answer 1

You also need to edit the Trust relationship for the role to allow the account (even if it's the same) to assume the role.

1. open the role that you want to assume in the console
2. click on the "Trust Relationships" tab
3. click on "Edit RelationShip"
4. add a statement for the account that you want to add (usually you'll only have the ec2 service in the "Trusted Entities") e.g.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::123456789012:role/some-role"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

In this example I had to add the "AWS" principal with the proper account number, the ec2.amazonaws.com Service was already there.

After I've done that I was able to assume the role without issue. Took me literally hours to figure this out, hope that will help someone.

Answer 2

Maybe you should assign your sts region and endpoint:

$sts = StsClient::factory(array(
    //...      
    'region'   => 'us-west-2',                                                                                                                                                                              
    'endpoint' => 'https://sts.us-west-2.amazonaws.com', 
));

Answer 3

I had the same error and spent hours trying to fix it with permissions and trust relationships... but that was not my problem.

I was following this tutorial and I deployed the cluster in US West (Oregon) as specified.

To make it work, I needed to activate STS for this region here.