Configure access role for IAM user

Question

I have a S3 java client which I want to run. But I get error during startup:

Caused by: com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: User: arn:aws:iam::123456789:user/test-key is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:user/test-key (Service: AWSSecurityTokenService; Status Code: 403; Error Code: AccessDenied; Request ID: 3b9b4bd4-48d1-40dc-a7d-f33d1cfffbb5; Proxy: null)

Do you know how I can set this permission into AWS IAM panel?

EDIT:

    AssumeRoleRequest assumeRequest = (new AssumeRoleRequest()).withRoleArn(awsArn).withDurationSeconds(s3Properties.getSessionDuration()).withRoleSessionName(s3Properties.getAwsSessionname());
    AWSSecurityTokenService stsClient = (AWSSecurityTokenService)((AWSSecurityTokenServiceClientBuilder)((AWSSecurityTokenServiceClientBuilder)AWSSecurityTokenServiceClientBuilder.standard().withCredentials(new AWSStaticCredentialsProvider(credentials))).withRegion(s3Properties.getAwsRegion())).build();
    AssumeRoleResult assumeResult = stsClient.assumeRole(assumeRequest);
    Credentials credentials2 = assumeResult.getCredentials();

Answer 1

The error indicates that you are using an IAM user to assume an IAM user:

User: arn:aws:iam::123456789:user/test-key is not authorized to perform: 
sts:AssumeRole on resource: arn:aws:iam::123456789:user/test-key

AssumeRole is used with IAM roles, not IAM users. In your code snippet:

AssumeRoleRequest assumeRequest = (new AssumeRoleRequest()).withRoleArn(awsArn).withDurationSeconds(s3Properties.getSessionDuration()).withRoleSessionName(s3Properties.getAwsSessionname());

The value for awsArn must be an IAM user. The value should instead be an IAM role that has a trust policy allowing the test-key user to assume the role. Read the documentation on AssumeRole and see the example in the AWS SDK docs. I won't reproduce them here as they are quite explicit about what you need to do.

Answer 2

Kindly use Assume role with the roles, not with the iam user

Role ARN Sample - RoleArn=arn:aws:iam::123456789012:role/demo

SDK Guide - https://docs.aws.amazon.com/code-library/latest/ug/sts_example_sts_AssumeRole_section.html

Answer 3

You could fix the permission error by creating a new IAM role in the IAM console with S3 access permissions, than update your Java client code to use the ARN of this new role instead of the user ARN in the AssumeRoleRequest. This allows your client to assume temporary credentials with the necessary S3 access, avoiding the attempt to assume its own identity.

AssumeRoleRequest assumeRequest = (new AssumeRoleRequest())
  .withRoleArn("arn:aws:iam::123456789:role/myS3Role")
  .withDurationSeconds(s3Properties.getSessionDuration())
  .withRoleSessionName(s3Properties.getAwsSessionname());

(replace with your actual role ARN)