question

newuser-119e7197-3e4b-4485-a4fd-a40be3d8a094 avatar image
newuser-119e7197-3e4b-4485-a4fd-a40be3d8a094 asked ·

sts:TagSession not authorized

Using sts.assume_role in boto3 we can successfully get temporary credentials

temp_credentials = sts.assume_role(
    RoleArn='arn:aws:iam::XXXXXXXXX:role/YYYYYYYYYYYYY',
    # RoleSessionName is used in the ${aws:userid} variable
    RoleSessionName='f1946c',
    DurationSeconds=7200
)

however, when adding tags in the function as below it reports access denied error

temp_credentials = sts.assume_role(
    RoleArn='arn:aws:iam::XXXXXXXXX:role/YYYYYYYYYYYYY',
    # RoleSessionName is used in the ${aws:userid} variable
    RoleSessionName='f1946c',
    DurationSeconds=7200,
    Tags=[
        {
            'Key': 'client_id',
            'Value': 'cd_f1946c'
        }
    ]
)

While testing the policy for the RoleArn is open

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "sts:AssumeRole",
                "sts:TagSession",
                "sts:DecodeAuthorizationMessage"
            ],
            "Resource": "*"
        }
    ]
}

The error message implies the policy is wrong for TagSession but as you can see it is set above

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::XXXXXXXX:user/ZZZZZZZZ is not authorized to perform: sts:TagSession on resource: arn:aws:iam::XXXXXXXXX:role/YYYYYYYYYYYYY


Anyone else successfully using tags when calling sts.assume_role or have tips to debug our issue?

aws
10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.

1 Answer

Levon@Amazon avatar image
Levon@Amazon answered ·

Hi there,

Thanks for posting! This question is more suited for AWS Forums, please post it there: https://forums.aws.amazon.com/ - Thanks!

10 |2000 characters needed characters left characters exceeded

Up to 2 attachments (including images) can be used with a maximum of 512.0 KiB each and 1.0 MiB total.