I have to generate a federated token using AWS STS for an authenticated Cognito User in the Cognito Pool. The problem is that when I run the code by following the documentation of aws-docs it returns me with this error:
unexpected exception AccessDenied: User: arn:aws:iam::123456789:user/abc is not authorized to perform: sts:AssumeRole on resource: arn:aws:chime:us-east-1:123456789:app-instance/xxx/user/yyy
I am trying for the past 1 week to solve this problem and have searched almost everything on the internet.
I have already tried some of these solutions but still no luck:
Here's my trust relationship IAM Role JSON file:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Statement0",
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789:user/abc"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "Statement1",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
{
"Sid": "Statement2",
"Effect": "Allow",
"Principal": {
"Service": "chime.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
And here is my inline-policy of IAM Role:
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"sts:GetSessionToken",
"sts:AssumeRole",
"sts:TagSession",
"sts:GetFederationToken",
"sts:SetSourceIdentity",
"sts:DecodeAuthorizationMessage",
"sts:AssumeRoleWithSAML",
"sts:GetAccessKeyInfo",
"sts:GetCallerIdentity",
"sts:AssumeRoleWithWebIdentity",
"sts:GetServiceBearerToken"
],
"Resource": "*"
}
]
}