Table of Contents
When working with Amazon Web Services (AWS), you may encounter various error messages that can be perplexing, especially if you're new to the platform. One such error message is "AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity." In this article, we will demystify this error, explain its implications, and guide you on how to troubleshoot and resolve it.
The error message "AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity" typically occurs in the context of AWS Identity and Access Management (IAM). It signifies that the AWS Identity and Access Management (IAM) user or role attempting to perform the sts:AssumeRoleWithWebIdentity action lacks the necessary permissions to do so. This action is related to assuming an IAM role using web identity federation, typically associated with services like Amazon Cognito or OIDC (OpenID Connect).
Let's break down the components of this error:
- AccessDenied: This part of the error message indicates that the user or role does not have the required permissions.
- sts:AssumeRoleWithWebIdentity: This is the specific action that the user or role is attempting to perform. It involves assuming an IAM role based on a web identity token, such as those issued by Amazon Cognito.
Common Causes and fixes of "Access Denied: Not authorized to perform sts:AssumeRoleWithWebIdentity - Status Code 403"
Error IAM Policies or Trust Relationship
We need to ensure that the trust relationship defined in a policy is proper and it should have sts:AssumeRoleWithWebIdentity action. Below shows a correct trust relationship json
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::xxxxx678:oidc-provider/oidc.eks.xxxxx-1.amazonaws.com/id/Bxxxxx02" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "oidc.eks.xxxx.amazonaws.com/id/Bxxx02:aud": "sts.amazonaws.com", "oidc.eks.xxxx.amazonaws.com/id/Bxxxx2:sub": "system:serviceaccount:secretman:abhi-deployment-sa" } } } ] }
Incorrect OIDC provider for the EKS cluster
If the OIDC provide ID is wrong, then also we can encounter this error. Make sure correct ID is provided and the region mentioned is also correct. Also while providing the condition make sure we are mentioned the oidc provider link and not the ARN
#For condition this is wrong arn:aws:iam::xxxx8:oidc-provider/oidc.eks.xxxx.amazonaws.com/id/xxxx7 # This is what need to be provided oidc.eks.xxxx.amazonaws.com/id/xxxx7
Incorrect service account name
This is the most common error which is seen. Ensure that the service account provided in the trust relationship is correct and without typo
"oidc.eks.<REGION>.amazonaws.com/id/<Your-EKS-cluster-OIDC-Provider-ID>:sub": "system:serviceaccount:<namespace>:<serviceaccount name>",
Missing sts.amazonaws.com from the trust relationship
Ensure the trust relationship include sts.amazonaws.com
"Condition": {
"StringEquals": {
"oidc.eks.<REGION>.amazonaws.com/id/<Your-EKS-cluster-OIDC-Provider-ID>:sub": "system:serviceaccount:<namespace>:<serviceaccount name>",
"oidc.eks.<REGION>.amazonaws.com/id/<Your-EKS-cluster-OIDC-Provider-ID>:aud": "sts.amazonaws.com"
}
}
Conclusion
The "AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity" error can be challenging to troubleshoot, but understanding its causes and following the steps outlined in this article should help you resolve it effectively. It's crucial to have a clear understanding of IAM policies, trust relationships, and the validity of web identity tokens when working with AWS services that involve role assumption. By addressing the root cause of the error, you can ensure that your AWS resources are accessed securely and in compliance with your security policies.