I have 2 AWS accounts:
Account A: Running an EC2 with R Studio. The EC2 IAM Role can assume Role "bbbbbb-role" in Account B
Account B: Has Role "bbbbbb-role". The EC2 role in account A is allowed to assume this role. This Role can access the S3 bucket "MyS3Bucket" which is what I'm wanting access to.
Using AWS CLI from the Account A EC2 I can assume the Account B role fine:
aws sts assume-role --role-arn "arn:aws:iam::BBBBBBBB:role/bbbbbb-role" --role-session-name "MySession" --duration-seconds 3600 --output json
I want to do the same from within R. The EC2 in account A has R installed.
library(aws.signature) library(aws.iam) iam_info <- aws.signature::locate_credentials() b_role <- aws.iam::assume_role(role = 'arn:aws:iam::BBBBBBBB:role/bbbbbb-role', session = 'MySession', use = TRUE)
The above gives error:
In stsHTTP(query = query, ...) : Forbidden (HTTP 403)
Code : chr "SignatureDoesNotMatch"
Message: chr "Credential should be scoped to a valid region, not 'us-west-2'. "
I can't see any CloudTrail permission errors for the EC2 Role, so I'm thinking that R is not picking up the EC2 Role correctly.
Has anyone done this before, from a role in a source account, assumed a role in another account?