How can AWS STS get-caller-identity help troubleshoot failing Lambda functions?

194    Asked by DominicPoole in AWS , Asked on Jun 18, 2024

 am a Cloud engineer and I am currently working for a company that uses AWS for its infrastructure. Recently, there has been an issue where some AWS lambda functions are failing due to the lack of the necessary permission to access certain AWS resources. To identify the called Identity of these lambda functions, I decide to use the AWS sts get-caller-identity API call. Describe to me how can I implement this solution. 

Answered by David

In the context of AWS, here are the steps given:-


Set up the AWS SDK

You should try to ensure that the AWS SDK for Python is installed. In the lambda environment, the Boto3 should be pre-installed. Here is the example given:-


Write the lambda function for calling get caller identity

Now you can write the lambda function for the purpose of calling the get caller identity by using the boto 3 and then log the identity details. Here is the example given below:-

Package com.example;

Import software.amazon.awssdk.auth.credentials.ProfileCredentialsProvider;
Import software.amazon.awssdk.services.sts.StsClient;
Import software.amazon.awssdk.services.sts.model.GetCallerIdentityRequest;
Import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse;
Import org.slf4j.Logger;Import org.slf4j.LoggerFactory;
Public class LambdaHandler {
    Private static final Logger logger = LoggerFactory.getLogger(LambdaHandler.class);
    Public static void main(String[] args) {
        lambdaHandler();
    }
    Public static void lambdaHandler() {
        // Create an STS client
        StsClient stsClient = StsClient.builder()
                .credentialsProvider(ProfileCredentialsProvider.create())
                .build();
        Try {
            // Create a GetCallerIdentity request
            GetCallerIdentityRequest getCallerIdentityRequest = GetCallerIdentityRequest.builder().build();
            // Call GetCallerIdentity
            GetCallerIdentityResponse response = stsClient.getCallerIdentity(getCallerIdentityRequest);
            // Extract relevant information
            String userId = response.userId();
            String account = response.account();
            String arn = response.arn();
            // Log the caller identity information
            Logger.info(“UserId: {}, Account: {}, Arn: {}”, userId, account, arn);
        } catch (Exception e) {
            Logger.error(“Error calling GetCallerIdentity”, e);
        } finally {
            // Close the STS client
            stsClient.close();
        }
    }
}

Handling the response

The response object from “getcalleridentity” contains the user id, account and arn. These fields can be used for the purpose of logging and troubleshooting.

Package com.example;

Import com.amazonaws.services.lambda.runtime.Context;
Import com.amazonaws.services.lambda.runtime.RequestHandler;
Import com.amazonaws.services.lambda.runtime.events.SQSEvent;
Import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
Import software.amazon.awssdk.services.sts.StsClient;
Import software.amazon.awssdk.services.sts.model.GetCallerIdentityRequest;
Import software.amazon.awssdk.services.sts.model.GetCallerIdentityResponse;
Import software.amazon.awssdk.services.sts.model.StsException;
Import org.slf4j.Logger;
Import org.slf4j.LoggerFactory;
Public class LambdaHandler implements RequestHandler {
    Private static final Logger logger = LoggerFactory.getLogger(LambdaHandler.class);
    @Override
    Public String handleRequest(SQSEvent event, Context context) {
        // Initialize the STS client
        StsClient stsClient = StsClient.builder()
                .credentialsProvider(DefaultCredentialsProvider.create())
                .build();
        Try {
            // Create a GetCallerIdentity request
            GetCallerIdentityRequest getCallerIdentityRequest = GetCallerIdentityRequest.builder().build();
            // Call GetCallerIdentity
            GetCallerIdentityResponse response = stsClient.getCallerIdentity(getCallerIdentityRequest);
            // Extract relevant information
            String userId = response.userId();
            String account = response.account();
            String arn = response.arn();
            // Log the caller identity information
            Logger.info(“UserId: {}, Account: {}, Arn: {}”, userId, account, arn);
            // Return the response details as a string
            Return String.format(“Caller Identity – UserId: %s, Account: %s, Arn: %s”, userId, account, arn);
        } catch (StsException e) {
            Logger.error(“Error calling GetCallerIdentity”, e);
            Return “Error fetching caller identity: “ + e.getMessage();
        } finally {
            // Close the STS client
            stsClient.close();
        }
    }
}


Your Answer

Interviews

Parent Categories