amazon-web-servicesamazon-s3

Value null at 'roleArn' failed to satisfy constraint: Member must not be null Service: AWSSecurityTokenService

I have the following Java code which I use to create to aws s3 bucket:

AssumeRoleRequest assumeRequest = new AssumeRoleRequest().withRoleArn("arn:aws:s3:::test");
    AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
        .withCredentials(new AWSStaticCredentialsProvider(new AWSCredentials......)).build();
    AssumeRoleResult assumeResult = stsClient.assumeRole(assumeRequest);

During boot time I get error:

2024-05-24T17:32:15.874Z ERROR 13528 --- [platform] [   scheduling-1] o.s.s.s.TaskUtils$LoggingErrorHandler    : Unexpected error occurred in scheduled task

com.amazonaws.services.securitytoken.model.AWSSecurityTokenServiceException: 1 validation error detected: Value null at 'roleArn' failed to satisfy constraint: Member must not be null (Service: AWSSecurityTokenService; Status Code: 400; Error Code: ValidationError; Request ID: 1b112442-8c58-14bc-a741-caf9062c9441; Proxy: null)
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleErrorResponse(AmazonHttpClient.java:1879) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.handleServiceErrorResponse(AmazonHttpClient.java:1418) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeOneRequest(AmazonHttpClient.java:1387) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeHelper(AmazonHttpClient.java:1157) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.doExecute(AmazonHttpClient.java:814) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.executeWithTimer(AmazonHttpClient.java:781) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.execute(AmazonHttpClient.java:755) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutor.access$500(AmazonHttpClient.java:715) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient$RequestExecutionBuilderImpl.execute(AmazonHttpClient.java:697) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:561) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.http.AmazonHttpClient.execute(AmazonHttpClient.java:541) ~[aws-java-sdk-core-1.12.322.jar:na]
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.doInvoke(AWSSecurityTokenServiceClient.java:1727) ~[aws-java-sdk-sts-1.12.322.jar:na]
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1694) ~[aws-java-sdk-sts-1.12.322.jar:na]
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.invoke(AWSSecurityTokenServiceClient.java:1683) ~[aws-java-sdk-sts-1.12.322.jar:na]
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.executeAssumeRole(AWSSecurityTokenServiceClient.java:532) ~[aws-java-sdk-sts-1.12.322.jar:na]
    at com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClient.assumeRole(AWSSecurityTokenServiceClient.java:501) ~[aws-java-sdk-sts-1.12.322.jar:na]

I created IAM account with API keys credentials and s3 bucket. But I can't find what configuration I need to make in order to fix this issue.

Solution

  • The error you're encountering is

    Value null at 'roleArn' failed to satisfy constraint: Member must not be null

    means the roleArn you passed to the AssumeRoleRequest is invalid or null.

    new AssumeRoleRequest().withRoleArn("arn:aws:s3:::test");

    This ARN is not valid for an IAM role. You're passing an S3 bucket ARN, but AssumeRole requires an IAM Role ARN.

    Update the ARN to a valid IAM role ARN, not an S3 bucket.

    arn:aws:s3:::test

    This refers to an S3 bucket, not a role.

    Correct Format for IAM Role ARN:

    arn:aws:iam::<account-id>:role/<role-name>

    Example:

    String roleArn = "arn:aws:iam::123456789012:role/MyAssumableRole";

AssumeRoleRequest assumeRequest = new AssumeRoleRequest()
    .withRoleArn(roleArn)
    .withRoleSessionName("MySession");

AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard()
    .withCredentials(new AWSStaticCredentialsProvider(
        new BasicAWSCredentials("ACCESS_KEY", "SECRET_KEY")))
    .build();

AssumeRoleResult assumeResult = stsClient.assumeRole(assumeRequest);

    1. Create an IAM Role in AWS:

      • Go to IAM → Roles → Create Role

      • Choose “Another AWS account” if using cross-account

      • Copy the Role ARN and use it in your code

    2. Allow Your IAM User to Assume the Role:
      Attach a policy like this to the IAM user:

    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::123456789012:role/MyAssumableRole"
    }
  ]
}
    1. Role Trust Policy (in the role being assumed):
    {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::your-account-id:user/your-iam-user"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

    Hope this works! Thanks