I am trying to assume a role in a different account to give me read access. The role (ROLE_IN_TARGET_ACCOUNT) has the permissions I need, however I am getting an error that my user (SOURCE_USER) is not allowed to assume the role.
The ROLE_IN_TARGET_ACCOUNT also has the following trust relationships
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNTID:root"
},
"Action": "sts:AssumeRole",
"Condition": {}
},
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
The following policy has been added to an IAM user group in SOURCE_ACCOUNTID
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT"
}
and SOURCE_USER is a member of this user group. So ROLE_IN_TARGET_ACCOUNT should trust SOURCE_USER, and SOURCE_USER should have permissions to assume ROLE_IN_TARGET_ACCOUNT.
However, I get the error
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT
What am I missing here?