Please forgive me if my question is basic, but I am new to AWS. I am using Java to create a lambda function which can assume a role from another AWS account. I have created the role on the other account, created the role on this account to assume that role, and have attached that role to my lambda function. (I have tested these roles using a Lambda function written in Javascript and it works, so they should be set up correctly).
In the code of my lambda function, I am trying to assume the role so that I can access some services from the other account. However, I get “profile file cannot be null” as shown in the error message, and I’m not sure what that means.
public String handleRequest(Map<String,String> event, Context context)
{
String clientRegion = "us-east-1";
String roleARN = "ARN_OF_ROLE_ON_THIS_ACC";
String roleSessionName = "session";
AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new ProfileCredentialsProvider())
.withRegion(clientRegion)
.build();
AssumeRoleRequest roleRequest = new AssumeRoleRequest()
.withRoleArn(roleARN)
.withRoleSessionName(roleSessionName);
//The line below causes the error
AssumeRoleResult roleResponse = stsClient.assumeRole(roleRequest);
Credentials sessionCredentials = roleResponse.getCredentials();
BasicSessionCredentials awsCredentials = new BasicSessionCredentials(
sessionCredentials.getAccessKeyId(),
sessionCredentials.getSecretAccessKey(),
sessionCredentials.getSessionToken());
//do other stuff here
}
Error Message:
"errorMessage": "profile file cannot be null",
"errorType": "java.lang.IllegalArgumentException",
"stackTrace": [
"com.amazonaws.util.ValidationUtils.assertNotNull(ValidationUtils.java:37)",
"com.amazonaws.auth.profile.ProfilesConfigFile.<init>(ProfilesConfigFile.java:142)",
"com.amazonaws.auth.profile.ProfilesConfigFile.<init>(ProfilesConfigFile.java:133)",
"com.amazonaws.auth.profile.ProfilesConfigFile.<init>(ProfilesConfigFile.java:100)",
"com.amazonaws.auth.profile.ProfileCredentialsProvider.getCredentials(ProfileCredentialsProvider.java:135)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.getCredentialsFromContext(AmazonHttpClient.java:1257)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.runBeforeRequestHandlers(AmazonHttpClient.java:833)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:783)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:770)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:744)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:704)",
"com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:686)",
"com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:550)",
"com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:530)",
"com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1728)",
"com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1695)",
"com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1684)",
"com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:488)",
"com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:457)",
"com.amazon.amazonstoresadminportallambda.handlers.TestHandler.handleRequest(TestHandler.java:80)",
"sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)",
"sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)",
"sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)",
"java.lang.reflect.Method.invoke(Method.java:498)"
]
}
Can anyone help me with this? Thanks in advance!
Advertisement
Answer
Your Lambda functions code tries to read credentials from its environment. For this it uses the ProfileCredentialsProvider which apparently assumes that there is a ~/.aws/credentials file which does not exist.
Try the DefaultAWSCredentialsProviderChain, which should read the credentials from more locations (environment variables, credentials file, EC2 IAM role, Lambda IAM role etc.):
AWSSecurityTokenService stsClient =
AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new DefaultAWSCredentialsProviderChain())
.withRegion(clientRegion)
.build();