AWS cli: not authorized to perform: sts:AssumeRole on resource

Question

I have an AWS account in which I am assuming a role named A(role-A), from that role I have created another role named B(role-B) through the web console and attached the administrator policy to that role

Here is cli configuration

[default]
aws_access_key_id = <>
aws_secret_access_key = <>
region = eu-central-1

[role-B]
role_arn = arn:aws:iam::<id>:role/ics-role
mfa_serial = arn:aws:iam::<id>:mfa/<name>
external_id = <name>
source_profile = default

role-B which I have created from role-A

When i try to get the role details

aws --profile role-B sts get-caller-identity

I am getting the following error

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::<>:user/<> is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<>:role/ics-role

Answer 1

You'll need to check the trust relationship policy document of the iam role to confirm that your user is in it.

Additionally make sure that the iam user has explicit permissions allowing them to assume that role.

The trust relationship should look something like this:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::1234567890:user/person"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Answer 2

My issue was I had a condition set in the policy json.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::000000000:dave"
        },
        "Action": "sts:AssumeRole",
        "Condition": {
           // Condition set here
        }
    }]
}

I removed the condition and it works now no issues.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::000000000:dave"
        },
        "Action": "sts:AssumeRole"
    }]
}