Getting failed to sign request: failed to retrieve credentials: failed to refresh cached credentials error

[Kanaga13579]

I am using AWS GetResources APIs to retrieve resources based on the tags. Please find the code snippet below.

        cfg, err := awsconfig.LoadDefaultConfig(context.TODO(), awsconfig.WithRegion("us-west-1"))
	if err != nil {
		log.Print("Erorr getting aws config ", err)
	}
	stsSvc := sts.NewFromConfig(cfg)
	creds := stscreds.NewAssumeRoleProvider(stsSvc, "arn:aws:iam::<account-id>:role/listtarget")
	cfg.Credentials = aws.NewCredentialsCache(creds)

	client := resourcegroupstaggingapi.NewFromConfig(cfg)
	var key string = "cluster"
	filters := []rgtypes.TagFilter{{
		Key:    &key,
		Values: []string{"cdg-test"},
	}}
	log.Print("tagged res key value ")
	input := &resourcegroupstaggingapi.GetResourcesInput{
		ResourceTypeFilters: []string{"elasticloadbalancing:targetgroup"},
		TagFilters:          filters,
	}
	out, err := client.GetResources(context.TODO(), input)
	log.Printf("tagged resources err %+v", err)`

I am getting the following error message from GetResources method.

"operation error Resource Groups Tagging API: GetResources, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, operation error STS: AssumeRole, failed to sign request: failed to retrieve credentials: failed to refresh cached credentials, failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity, https response error StatusCode: 403, RequestID: f048-36aa-4887-b8e2-d6f0ab9e, api error AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity"

Please suggest to resolve this issue.

Thanks in advance!

[RanVaknin]

Hi @Kanaga13579,

This is an IAM related issue. You are assuming a role that does not have the correct privileges to call GetResources on the Resource groups tagging API.

Please check out this article.

[Kanaga13579]

Hi @RanVaknin ,
I am getting similar error like
User: arn:aws:sts::accound-id:assumed-role/cdgoperator-Role-stackmulti01-CDG-1TT52J7OCKK70/1683186802209531190 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::accound-id:role/cdgoperator-Role-stackmulti01-CDG-1TT52J7OCKK70"

Here is my Roles added in AWS IAM.
Policy:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "sts:*",
                "ec2:DescribeSubnets"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}

Trust Relationship:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::accound-id:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/B7F730846B99B184B302546272B4C9V2"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.us-east-1.amazonaws.com/id/B7F730846B99B184B302546272B4C9V2:aud": "sts.amazonaws.com",
                    "oidc.eks.us-east-1.amazonaws.com/id/B7F730846B99B184B302546272B4C9V2:sub": "system:serviceaccount:cdg:controller-manager"
                }
            }
        }
    ]
}

Please help in resolving this issue,
Thanks.

[github-actions[bot]]

Hello! Reopening this discussion to make it searchable.