AWS sts assume role - user is trusted by target role, user has sts permissions to assume target role. "User not allowed to perform assume role"

Question

I am trying to assume a role in a different account to give me read access. The role (ROLE_IN_TARGET_ACCOUNT) has the permissions I need, however I am getting an error that my user (SOURCE_USER) is not allowed to assume the role.

The ROLE_IN_TARGET_ACCOUNT also has the following trust relationships

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SOURCE_ACCOUNTID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

The following policy has been added to an IAM user group in SOURCE_ACCOUNTID

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT"
  }

and SOURCE_USER is a member of this user group. So ROLE_IN_TARGET_ACCOUNT should trust SOURCE_USER, and SOURCE_USER should have permissions to assume ROLE_IN_TARGET_ACCOUNT.

However, I get the error

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT

What am I missing here?

Answer 1

The policies you've shared seem fine (other than the second trust policy being redundant - root includes all auth'd and auth'z principals in SOURCE_ACCOUNTID, which includes SOURCE_ACCOUNTID).

Are there any SCPs, Permissions Boundaries, or Session Policies in your environment? An explicit Deny anywhere in the policy evaluation flow will prevent an otherwise good Allow configuration from working.