AWS Assume Role via .Net SDK gives Access Denied but works with CLI

[mahesh-cognologix]

I am trying to upload a file in S3 by AWS Assume Role. When I am trying to access it from CLI it works fine but from .Net SDK it gives me Access Denied error.

Here are the steps I followed in CLI -

1. Setup the access key/secret key for user using aws configure
2. Assume the Role - “aws sts assume-role --role-arn "arn:aws:iam::1010101010:role/Test-Account-Role" --role-session-name AWSCLI-Session”
3. Take the access key / secret key / session token from the assumed role and setup an AWS profile. The credentials are printed out/returned from the assumed role.
4. Switch to the assume role profile: “set AWS_PROFILE=”
5. Verify that the user has the role: “aws sts get-caller-identity”
6. Access the bucket using ls or cp or rm command - Works Successfully.

Now I am trying to access it from .Net core App -

Here is the code snippet- Note that I am using same Access and Secret key as CLI from my local.

        try
        {
            var region = RegionEndpoint.GetBySystemName(awsRegion);

            SessionAWSCredentials tempCredentials = await GetTemporaryCredentialsAsync(awsAccessKey, awsSecretKey, region, roleARN);

            //Use the temp credentials received to create the new client
            IAmazonS3 client = new AmazonS3Client(tempCredentials, region);
            
            TransferUtility utility = new TransferUtility(client);
            // making a TransferUtilityUploadRequest instance
            TransferUtilityUploadRequest request = new TransferUtilityUploadRequest
            {
                BucketName = bucketName, 
                Key = $"{subFolder}/{fileName}", 
                FilePath = localFilePath 
            utility.Upload(request); //transfer
            fileUploadedSuccessfully = true;

        }
        catch (AmazonS3Exception ex)
        {
            // HandleException
        }
        catch (Exception ex)
        {
             // HandleException
        }

The method to get temp credentials is as follow - GetTemporaryCredentialsAsync

  private static async Task<SessionAWSCredentials> GetTemporaryCredentialsAsync(string awsAccessKey, string awsSecretKey, RegionEndpoint region, string roleARN)
        {
            using (var stsClient = new AmazonSecurityTokenServiceClient(awsAccessKey, awsSecretKey, region))
            {

                var getSessionTokenRequest = new GetSessionTokenRequest
                {
                    DurationSeconds = 7200
                };

                await stsClient.AssumeRoleAsync(
                    new AssumeRoleRequest()
                    {
                        RoleArn = roleARN,
                        RoleSessionName = "mySession"
                    });

                GetSessionTokenResponse sessionTokenResponse =
                              await stsClient.GetSessionTokenAsync(getSessionTokenRequest);

                Credentials credentials = sessionTokenResponse.Credentials;

                var sessionCredentials =
                    new SessionAWSCredentials(credentials.AccessKeyId,
                                              credentials.SecretAccessKey,
                                              credentials.SessionToken);
                return sessionCredentials;
            }
        }

I am getting back the temp credentials but it gives me Access Denied while uploading the file. Not sure if I am missing anything here.

Also noted that the token generated via SDK is shorter than that from CLI. I tried pasting these temp credentials to local profile and then tried to access the bucket and getting the Access Denied error then too.

I enabled the AWS Logging and here are the additional logs. -

EnvironmentVariableInternalConfiguration 1|2022-06-15T22:06:47.379Z|INFO|The environment variable AWS_ENABLE_ENDPOINT_DISCOVERY was not set with a value.
EnvironmentVariableInternalConfiguration 2|2022-06-15T22:06:47.383Z|INFO|The environment variable AWS_MAX_ATTEMPTS was not set with a value.
EnvironmentVariableInternalConfiguration 3|2022-06-15T22:06:47.385Z|INFO|The environment variable AWS_RETRY_MODE was not set with a value.
ProfileInternalConfiguration 4|2022-06-15T22:06:47.388Z|INFO|Unable to find a profile named 'newQA' in store Amazon.Runtime.CredentialManagement.CredentialProfileStoreChain
AmazonS3Client 6|2022-06-15T22:07:20.300Z|ERROR|An exception of type HttpErrorResponseException was handled in ErrorHandler. --> Amazon.Runtime.Internal.HttpErrorResponseException: Exception of type 'Amazon.Runtime.Internal.HttpErrorResponseException' was thrown.
at Amazon.Runtime.HttpWebRequestMessage.GetResponseAsync(CancellationToken cancellationToken)
at Amazon.Runtime.Internal.HttpHandler1.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.RedirectHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.Unmarshaller.InvokeAsync[T](IExecutionContext executionContext) at Amazon.S3.Internal.AmazonS3ResponseHandler.InvokeAsync[T](IExecutionContext executionContext) at Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T](IExecutionContext executionContext) AmazonS3Client 7|2022-06-15T22:07:20.368Z|ERROR|AmazonS3Exception making request PutObjectRequest to https://bucket-us-east-1.s3.amazonaws.com/. Attempt 1. --> Amazon.S3.AmazonS3Exception: Access Denied ---> Amazon.Runtime.Internal.HttpErrorResponseException: Exception of type 'Amazon.Runtime.Internal.HttpErrorResponseException' was thrown. at Amazon.Runtime.HttpWebRequestMessage.GetResponseAsync(CancellationToken cancellationToken) at Amazon.Runtime.Internal.HttpHandler1.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.RedirectHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.Unmarshaller.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.S3.Internal.AmazonS3ResponseHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T](IExecutionContext executionContext)
--- End of inner exception stack trace ---
at Amazon.Runtime.Internal.HttpErrorResponseExceptionHandler.HandleException(IExecutionContext executionContext, HttpErrorResponseException exception)
at Amazon.Runtime.Internal.ExceptionHandler`1.Handle(IExecutionContext executionContext, Exception exception)
at Amazon.Runtime.Internal.ErrorHandler.ProcessException(IExecutionContext executionContext, Exception exception)
at Amazon.Runtime.Internal.ErrorHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.CallbackHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.EndpointDiscoveryHandler.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.CredentialsRetriever.InvokeAsync[T](IExecutionContext executionContext)
at Amazon.Runtime.Internal.RetryHandler.InvokeAsync[T](IExecutionContext executionContext)

[ashishdhingra]

@mahesh-cognologix Good morning. Your .NET logic to use temporary credentials with assumed role appears to be incorrect. The call to AssumeRole service API operation itself returns the temporary session credentials. But in your code you are executing the AssumeRoleAsync:

await stsClient.AssumeRoleAsync(
                    new AssumeRoleRequest()
                    {
                        RoleArn = roleARN,
                        RoleSessionName = "mySession"
                    });

without consuming the returned credentials. Then you are just constructing new session credentials with no role attached and hence you get Access Denied error while executing .NET code. If your compare your .NET logic with AWS CLI calls, both are different.

For guidance on using AssumeRoleAsync() using .NET SDK, please refer example at Create an IAM user and assume a role with AWS STS using an AWS SDK

[mahesh-cognologix]

@ashishdhingra Thanks a lot. It was a blunder from my side as I messed up it during trying different ways of getting token and forgot to remove the other line.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.