'AWS STS: GetFederationToken works locally, but fails from Lambda

I'm trying to call generate a temporary token via STS, using the aws-sdk (Typescript). This is the code which tries to obtain the token.

export async function handler() {
  const token = await sts
    .getFederationToken({
      DurationSeconds: 7200,
      Name: "test",
      Policy: JSON.stringify({
        Version: "2012-10-17",
        Statement: {
          Effect: "Allow",
          Action: "ses:*",
          Resource: "*",
        },
      }),
    })
    .promise();
}

Executing it locally works. Deploying it to a Lambda and running it yields the following error:

{
  "errorType": "AccessDenied",
  "errorMessage": "Cannot call GetFederationToken with session credentials",
  "trace": [
    "AccessDenied: Cannot call GetFederationToken with session credentials",
    "    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/query.js:50:29)",
    "    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)",
    "    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)",
    "    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:686:14)",
    "    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)",
    "    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)",
    "    at /var/runtime/node_modules/aws-sdk/lib/state_machine.js:26:10",
    "    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:38:9)",
    "    at Request.<anonymous> (/var/runtime/node_modules/aws-sdk/lib/request.js:688:12)",
    "    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:116:18)"
  ]
}

I am fairly certain the function has all the rights that are necessary (sts:*, ses:*, ...). Do Lambdas generally run in a context where getFederationToken is not permitted?

aws-lambdaaws-sdksts


Solution 1:[1]

I just ran into the same problem.... I understand that Lambda get's it's role via AssumeRole, which if we look at the STS API Comparison it says

Cannot call GetFederationToken or GetSessionToken.

And if we continue to look it appears no such api is able to call those API's (Being an STS operation)

The only workaround I can figure is to create an IAM user, and use it's API keys directly (Stored securely, perhaps in Secrets Manager)

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 Arelius

Related Questions

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Terraform update Route53 DOMAIN NameServers

Amazon AWS S3 to Force Download Mp3 File instead of Stream It

How to enable terraform module only with a specific workspace

AWS RDS Postgres: WAL_LEVEL not set to 'logical' after changing rds.logical_replication = 1

Use terraform to set up a lambda function triggered by a scheduled event source

Use terraform to set up a lambda function triggered by a scheduled event source

Self stopping EC2 once task complete?

AWS - SWF - Asynchronous method

Why my cloudformation template is over 1 MB?

AWS elastic beanstalk - WARN install EACCES: permission denied, access '/tmp/.npm'

Aws step functions - Resume from failed step function activity instead of starting a new execution

Redirect Elastic Beanstalk URL to domain name

node-lambda - TypeError: handler is not a function