1

I am trying to assume a role in a different account to give me read access. The role (ROLE_IN_TARGET_ACCOUNT) has the permissions I need, however I am getting an error that my user (SOURCE_USER) is not allowed to assume the role.

The ROLE_IN_TARGET_ACCOUNT also has the following trust relationships

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SOURCE_ACCOUNTID:root"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    },
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

The following policy has been added to an IAM user group in SOURCE_ACCOUNTID

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT"
  }

and SOURCE_USER is a member of this user group. So ROLE_IN_TARGET_ACCOUNT should trust SOURCE_USER, and SOURCE_USER should have permissions to assume ROLE_IN_TARGET_ACCOUNT.

However, I get the error

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::SOURCE_ACCOUNTID:user/SOURCE_USER is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::TARGET_ACCOUNT:role/ROLE_IN_TARGET_ACCOUNT

What am I missing here?

L Xandor
  • 1,659
  • 4
  • 24
  • 48

1 Answers1

1

The policies you've shared seem fine (other than the second trust policy being redundant - root includes all auth'd and auth'z principals in SOURCE_ACCOUNTID, which includes SOURCE_ACCOUNTID).

Are there any SCPs, Permissions Boundaries, or Session Policies in your environment? An explicit Deny anywhere in the policy evaluation flow will prevent an otherwise good Allow configuration from working.

rowanu
  • 1,683
  • 16
  • 22