amazon-web-servicesamazon-iamaws-sts

Unable to assumerole to access the EC2 instance in AWS

I'm using a multi-account architecture using AWS Control Tower and AWS Organization. I have a master account with an IAM user called agent (with no policies attached and with only CLI access) and then I have another AWS account called dev where I have created a new role called workload-deployer (ARN -> arn:aws:iam::809348927750:role/workload-deployer) with the following trust relationship:-

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::185288728304:user/agent"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

When I'm trying to assume this role and I'm getting the below error:-

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::185288728304:user/agent is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::809348927750:role/workload-deployer

The command which I'm running to assume the role:-

aws sts assume-role --role-arn arn:aws:iam::809348927750:role/workload-deployer --role-session-name "RoleSession1" --duration-seconds 900  --profile zm
Solution

  • In order to assume a role, you need permissions to exist in 2 places:

    1. The role you start with needs permission to assume roles. So it must have a policy that grants the sts:AssumeRole permission.
    2. The role you want to assume must have a trust policy that grants permission for it to be assumed by the calling role.

    It sounds like you are lacking the permission for #1.