Getting 403 forbidden when accessing config from AppConfig agent at localhost

Question

We have ECS cluster with AppConfig agent container configured at http://localhost:2772. I'm getting 403 forbidden error when trying to call the agent from my service using C# HttpClient.

Is passing a bearer token required when making a call to the agent container?

After getting 403 forbidden now I'm trying to pass a bearer token using AmazonSecurityTokenServiceClient.AssumeRoleAsync but getting different error
Amazon.SecurityToken.AmazonSecurityTokenServiceException: User: arn:aws:sts:::assumed-role// is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:::role/

ehsanonyx · Accepted Answer

1. Ensure AppConfig Agent Permissions
Ensure the task role has the following policy to communicate with the AppConfig agent:

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "appconfig:StartConfigurationSession",
        "appconfig:GetLatestConfiguration",
        "appconfig:StopConfigurationSession"
      ],
      "Resource": "*"
    }
  ]
}

```
2. Configure AssumeRole Permissions
Ensure the IAM role that the ECS task uses has permissions to assume the role specified in your AmazonSecurityTokenServiceClient.AssumeRoleAsync call. This involves setting the trust relationship and policies correctly.

Trust Relationship
Update the trust relationship of the execution role to allow the task role to assume it:

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam:::role/"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

```
Task Role Policy
Ensure the task role has the sts:AssumeRole permission for the execution role:

```
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam:::role/"
    }
  ]
}

```
3. Passing the Bearer Token in C#
Here's an example of how to pass a bearer token using HttpClient in C#:

```
using System;
using System.Net.Http;
using System.Net.Http.Headers;
using System.Threading.Tasks;
using Amazon.SecurityToken;
using Amazon.SecurityToken.Model;

public class AppConfigClient
{
    private static async Task GetBearerToken()
    {
        var stsClient = new AmazonSecurityTokenServiceClient();
        var assumeRoleRequest = new AssumeRoleRequest
        {
            RoleArn = "arn:aws:iam:::role/",
            RoleSessionName = "AppConfigSession"
        };
        
        var assumeRoleResponse = await stsClient.AssumeRoleAsync(assumeRoleRequest);
        return assumeRoleResponse.Credentials.SessionToken;
    }

public static async Task CallAppConfigAgent()
    {
        var token = await GetBearerToken();

using var client = new HttpClient();
        client.BaseAddress = new Uri("http://localhost:2772");
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);

var response = await client.GetAsync("/path/to/appconfig/endpoint");
        response.EnsureSuccessStatusCode();

var responseBody = await response.Content.ReadAsStringAsync();
        Console.WriteLine(responseBody);
    }
}

```
Summary
Ensure the ECS task role has the necessary permissions to communicate with the AppConfig agent.
Update the trust relationship and policies to allow the task role to assume the execution role.
Pass the bearer token in your C# HttpClient calls.
By following these steps, you should be able to resolve the 403 Forbidden error and correctly interact with the AppConfig agent from your service. 
Hope this helps

Getting 403 forbidden when accessing config from AppConfig agent at localhost

Add your answer

Relevant content