I am trying to access cross-account API in AWS using the assumed role. The roles are configured correctly.
I am able to invoke API for the first and after that till the session duration, I am getting something like the following error. I am not sure how to handle this to make every request success. Please help.
Error: AccessDenied: User: arn:aws:sts::xxxxxxxxxx:assumed-role is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxx:role/assume-role
const AWS = require('aws-sdk')
var aws4 = require('aws4');
const REGION = process.env.REGION || 'eu-west-1';
const ASSUME_ROLE_ARN = process.env.ASSUME_ROLE_ARN || '';
const API_ID_PARAMETER = process.env.EXT_API_ID_PARAMETER || '/test/gl/module/dev/testapi';
exports.handler = async(event) => {
console.log('received event')
console.log('ASSUME_ROLE_ARN:' + ASSUME_ROLE_ARN);
console.log('API_ID_PARAMETER:' + EXT_API_ID_PARAMETER);
var sts = new AWS.STS({
region: REGION
});
console.log('sts success')
const getCrossAccountCredentials = async() => {
return new Promise((resolve, reject) => {
const timestamp = (new Date()).getTime();
const params = {
RoleArn: 'arn:aws:iam::XXXXXXXXXXX:role/assume-role',
RoleSessionName: `be-descriptibe-here-${timestamp}`,
DurationSeconds: 3600
};
console.log('RoleSessionName : ' + params.RoleSessionName)
sts.assumeRole(params, (err, data) => {
if (err)
reject(err);
else {
resolve({
accessKeyId: data.Credentials.AccessKeyId,
secretAccessKey: data.Credentials.SecretAccessKey,
sessionToken: data.Credentials.SessionToken,
});
}
});
});
}
try {
const tempdata = await getCrossAccountCredentials();
var data = JSON.parse(JSON.stringify(tempdata));
console.log(data);
console.log(data.accessKeyId);
console.log(data.secretAccessKey);
AWS.config.update({
accessKeyId: data.accessKeyId,
secretAccessKey: data.secretAccessKey,
sessionToken: data.sessionToken
});
const creds = {
accessKeyId: data.accessKeyId,
secretAccessKey: data.secretAccessKey,
sessionToken: data.sessionToken
};
console.log('AWS.SSM start')
var ssm = new AWS.SSM({
apiVersion: '2014-11-06',
region: REGION,
credentials: creds
});
console.log('AWS.SSM end')
const {
Parameter
} = await ssm
.getParameter({
Name: EXT_API_ID_PARAMETER
})
.promise();
console.log(Parameter.Value)
let request = {
host: `${Parameter.Value}.execute-api.eu-west-1.amazonaws.com`,
method: 'GET',
url: `https://${Parameter.Value}.execute-api.eu-west-1.amazonaws.com/dev/test/1`,
path: '/dev/test/1'
};
let signedRequest = aws4.sign(request, creds);
delete signedRequest.headers['Host'];
delete signedRequest.headers['Content-Length'];
const res = await axios(signedRequest);
console.log('Data:', res.data);
} catch (err) {
console.log('Error:', err);
}
};
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
