I have created a Lambda function URL secured with IAM_AUTH and have created a user attached to a group containing a policy which can invoke function URLs.

Taking the user's Access Key and Secret Key I can call the function url in Postman with a 200 OK response.

However, I want have my users assume a role to grant them the lambda:InvokeFunctionUrl action.

So, I have created a role with the above policy attached and set the trust relationship to a new user:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::012345678901:user/myFunctionUrlUser"
            },
            "Action": "sts:AssumeRole",
            "Condition": {}
        }
    ]
}

That user is not in any group and has just one inline policy attached, allowing it to assume any role in my account...

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "lambda:InvokeFunctionUrl",
            "Resource": "arn:aws:lambda:*:012345678901:function:*"
        }
    ]
}

However, when I user this user's AccessKey and Secret in postman I get 403 Forbidden.

What am I missing?

CodePudding user response：

You shouldn't be using the credentials of the user directly; instead, you should be assuming the role that you created.

Open a new terminal and export the user's credentials:

$ export AWS_ACCESS_KEY_ID=...
$ export AWS_SECRET_ACCESS_KEY=...

then, assume the IAM role (replace <ROLE-ARN> with the ARN of your role)

$ aws sts assume-role --role-arn <ROLE-ARN> --role-session-name "mysession" --duration-seconds 3600

then, fetch the credentials associated with your session:

$ aws sts get-caller-identity

this will return the AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY and AWS_SESSION_TOKEN of the session. Use those in postman.