hey there,
We are trying to set up a ci/cd pipeline for our terraform repositories that incorporates federated credentials generated by the aws secrets engine in Vault. When doing this, I’ve noticed certain iam actions are denied, even though I’ve explicitly given iam:* on all resources. I’ve tested in the cli using the credentials and confirmed that they work for other actions.
`aws s3 ls` gives a full list of our s3 buckets
aws iam get-role --role-name redacted-role-name gives this error: An error occurred (InvalidClientTokenId) when calling the GetRole operation: The security token included in the request is invalid
This is the role I created for the operation:
Key Value
--- -----
credential_type federation_token
default_sts_ttl 0s
iam_groups <nil>
iam_tags <nil>
max_sts_ttl 0s
permissions_boundary_arn n/a
policy_arns <nil>
policy_document {"Version":"2012-10-17","Statement":{"Effect":"Allow","Action":["*"],"Resource":"*"}}
role_arns <nil>
user_path n/a
The aws user we have creating these credentials (configured within the aws secrets engine) has the AdministratorAccess iam role which gives these permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" } ] }
Any insights why my federation token might not have iam access would be super appreciated. Could this be a “security feature” within aws itself?