I’m trying to invoke Entity Resolution APIs
IAM User Details:
- IAM User: user1
- Policy Name: AssumeRolePolicy
I generated Access key and secret for user1 and using those in my spring boot application.
Policy Attached to user1 (AssumeRolePolicy):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::004724176825:role/scv-er-poc-er-service-sbox"
}
]
}
Role Details (scv-er-poc-er-service-sbox
). This role has AWSEntityResolutionConsoleFullAccess
policy attached to it.:
In Trusted Entities:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::004724176825:user/user1",
"Service": "entityresolution.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
Despite the policies and role configuration, an error occurs with the message:
User: arn:aws:iam::004724176825:user/user1 is not authorized to perform: entityresolution:GetMatchId on resource: arn:aws:entityresolution:eu-west.
Which is the step iam missing in this flow ?
My Java code :
@Bean
public EntityResolutionClient entityResolutionClient() {
AwsCredentials credentials = AwsBasicCredentials.create("<Access key>",
"<Secret>");
StaticCredentialsProvider staticProvider = StaticCredentialsProvider.create(credentials);
Region region = Region.EU_WEST_1;
EntityResolutionClient entityResolutionClient = EntityResolutionClient.builder()
.region(region)
.credentialsProvider(staticProvider)
.build();
return entityResolutionClient;
}
2
Answers
You must assume the role first, then use those credentials (since they have the permission to call via
AWSEntityResolutionConsoleFullAccess
).Assuming a role example:
The IAM user has to assume the role with the AWS Security Token Service (AWS STS) AssumeRole API operation. This operation will provide you with temporary security credentials (AccessKeyId, SecretAccessKey, SessionToken) that will enable the user to access the AWS resources (in your case Entity Resolution). The below AWS doc example shows how to obtain temporary security credentials and use them to authenticate your requests to Amazon S3 in Java:
You can also use AWS STS GetCallerIdentity to verify that you assumed the scv-er-poc-er-service-sbox.
Hope it helps.