Today I was struggling with exception
Caused by: com.amazonaws.services.securitytoken.model.InvalidIdentityTokenException: SAML Assertion doesn't contain the requested Role and Metadata in the attributes (Service: AWSSecurityTokenService; Status Code: 400; Error Code: InvalidIdentityToken)
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1862) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1415) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1384) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1154) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:811) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:779) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:753) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:713) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:695) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:559) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:539) ~[aws-java-sdk-core-1.12.124.jar:na]
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1682) ~[aws-java-sdk-sts-1.12.124.jar:na]
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1649) ~[aws-java-sdk-sts-1.12.124.jar:na]
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1638) ~[aws-java-sdk-sts-1.12.124.jar:na]
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRoleWithSAML(AWSSecurityTokenServiceClient.java:742) ~[aws-java-sdk-sts-1.12.124.jar:na]
at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRoleWithSAML(AWSSecurityTokenServiceClient.java:710) ~[aws-java-sdk-sts-1.12.124.jar:na]It was thrown by piece of code
AWSSecurityTokenService stsClient = ...
AssumeRoleWithSAMLRequest request = new AssumeRoleWithSAMLRequest()
.withPrincipalArn(...)
.withRoleArn("arn:aws:iam::XXX:role/MyRole")
.withSAMLAssertion(sAMLAssertion)
.withDurationSeconds(...);
AssumeRoleWithSAMLResult result = stsClient.assumeRoleWithSAML(request);
sAMLAssertion is as AWS javadoc states: The base64 encoded SAML authentication response provided by the IdP.
I was getting sAMLAssertion by calling ADFS Saml provider with service account credentials.
After decoding base64 sAMLAssertion looked like
...
<AttributeStatement>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/Role">
<AttributeValue>arn:aws:iam::XXX:saml-provider/SAML_ADFS3,arn:aws:iam::XXX:role/MyOtherRole</AttributeValue>
</Attribute>
<Attribute Name="https://aws.amazon.com/SAML/Attributes/RoleSessionName">
<AttributeValue>MyServiceAccountUser</AttributeValue>
</Attribute>
</AttributeStatement>
...
So it turned out that I was trying to assume different role arn:aws:iam::XXX:role/MyRole in AssumeRoleWithSAMLRequest than from sAMLAssertion arn:aws:iam::XXX:role/MyOtherRole.
InvalidIdentityTokenException SAML Assertion doesn't contain the requested Role and Metadata in the attributesclearly indicates this but it took me couple of hours to find the root cause.
While googling for solution I have found no information regarding this exception. Therefore I hope this post maybe useful for others who encounter similar problem.