How do I resolve the "AccessDenied" or "Invalid information" error when I try to assume a cross-account IAM role?
When I try to assume an AWS Identity and Access Management (IAM) role across AWS accounts, I receive the error message: "An error occurred (AccessDenied) when calling the AssumeRole operation:" or "Invalid information in one or more fields. Check your information or contact your administrator."
Resolution
Configure the required policies
To assume the IAM role across accounts, first edit the policy for the source account that's assuming the IAM role. Then, edit the trust policy for the IAM role that you're assuming in the destination account.
You must meet the following requirements:
- Create a role to assume in the destination account.
- Grant access to the role so that the assuming identity has permission for the AssumeRole action.
- The role in the destination account must have a trust policy that specifies either the source account or specific IAM identities from the source account.
- Note the Amazon Resource Names (ARNs) of the assuming identity in the source account and the IAM role in the destination account to include in the IAM policies.
- You must be signed in to the account as the assuming identity.
- Service control policies (SPCs) don't restrict AssumeRole access. If the account is part of an organization in AWS Organizations and has an SCP, then update or delete the SCP.
- If you use role chaining, then make sure that you don't use IAM credentials from a previous session.
Example configuration
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.
In the following example, Jane in Account_Jane is assuming the IAM role, Carlos, in Account _Carlos.
To allow Jane to assume the IAM role Carlos, complete the following steps:
-
Add the following statement to Jane's IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "PermissionToAssumeCarlos", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::Account_Carlos:role/Carlos" } ] } -
Add the following statement to Carlos's trust policy:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::ACCOUNT_Jane:user/Jane" }, "Action": "sts:AssumeRole" } ] } -
Run the following assume-role command to assume a cross-account IAM role:
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name assume-cross-accountNote: Replace role-arn with ARN of the IAM role in the destination account.
Related information
How can I get data to help troubleshoot IAM permission access denied or unauthorized errors?
How do I use the AWS CLI to assume an IAM role?
- Language
- English
Its indeed a great article to follow if you are facing permission issues in assuming cross-account IAM role. Informational
Relevant content
- asked 2 years ago
- asked 4 years ago
