You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Firstly, I'm no AWS/IAM expert, but any help would be greatly appreciated :-)
I'm trying to use assume to open browser windows for multiple accounts. One account (for which I'm a member of a group with AdministratorAccess permissions) works fine. The rest fail with:
[✘] operation error STS: GetFederationToken, https response error StatusCode: 403, RequestID: 180cdef4-3267-455c-94f7-aabbcccddee, api error AccessDenied: User: arn:aws:iam::0123456789:user/richard.jones@foo is not authorized to perform: sts:TagSession on resource: arn:aws:sts::0123456789:federated-user/richard.jones@foo
My ~/.aws/credentials has access and secret keys for the accounts, ~/.aws/config only contains the profile names and the region.
Additionally all these accounts have MFA with a yubikey. I can login to all using a browser. So my question is, what permissions/role/policy do I need to apply to get this to work?
I know this is a gnarly topic, but the fact that one account works just fine, gives me hope the others may be an easy win!
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
Hi,
Firstly, I'm no AWS/IAM expert, but any help would be greatly appreciated :-)
I'm trying to use
assumeto open browser windows for multiple accounts. One account (for which I'm a member of a group with AdministratorAccess permissions) works fine. The rest fail with:[✘] operation error STS: GetFederationToken, https response error StatusCode: 403, RequestID: 180cdef4-3267-455c-94f7-aabbcccddee, api error AccessDenied: User: arn:aws:iam::0123456789:user/richard.jones@foo is not authorized to perform: sts:TagSession on resource: arn:aws:sts::0123456789:federated-user/richard.jones@fooMy ~/.aws/credentials has access and secret keys for the accounts, ~/.aws/config only contains the profile names and the region.
Additionally all these accounts have MFA with a yubikey. I can login to all using a browser. So my question is, what permissions/role/policy do I need to apply to get this to work?
I know this is a gnarly topic, but the fact that one account works just fine, gives me hope the others may be an easy win!
Thanks!
Beta Was this translation helpful? Give feedback.
All reactions