SUPPORT.TWILIO.COM END OF LIFE NOTICE: This site, support.twilio.com, is scheduled to go End of Life on February 27, 2024. All Twilio Support content has been migrated to help.twilio.com, where you can continue to find helpful Support articles, API docs, and Twilio blog content, and escalate your issues to our Support team. We encourage you to update your bookmarks and begin using the new site today for all your Twilio Support needs.

Fix Segment Functions AccessDenied Error with AWS STS

Issue

When executing a Segment Function that calls AWS STS.assumeRole, you may encounter an AccessDenied error in the live runtime environment. However, the exact same function code and configuration succeed when tested inside the Function Tester.

 

Product

Twilio Segment
 
 

Environment 

Segment Console

 

Cause

The setting name externalId is a reserved keyword within the Segment Functions runtime. When a function setting is named exactly externalId, the live runtime engine strips it from the function's configuration dictionary before execution. As a result, the function passes an undefined value at runtime to the AWS AssumeRole API, triggering an AccessDenied error because it fails to match your AWS IAM trust policy condition.

The Function Tester environment does not strip this reserved keyword, which is why the execution incorrectly appears successful during testing.

 

Resolution

To resolve this issue, you must use a non-reserved name for your External ID configuration setting. Follow these steps to update your function:
  1. Navigate to your Segment Workspace and open the affected Function configuration.
  2. In the function settings, change the name of the setting from externalId to a custom, non-reserved identifier (for example, iamRoleExternalId).
  3. Update your function code to reference this new setting key when grabbing the external ID value.
  4. Save and redeploy the function.

 

Additional Information

  • Note: You do not need to modify your existing AWS IAM trust policy or permissions, as long as the underlying string value itself still matches the configured value in AWS.
  • To learn more about what runtime and dependencies Segment Functions currently support, please review the Segment Functions documentation.

 

Have more questions? Submit a request
Powered by Zendesk