I tried to assume a cross-account AWS Identity and Access Management (IAM) role. However, I received an error similar to the following: "An error occurred (AccessDenied) when calling the AssumeRole operation:" or "Invalid information in one or more fields. Check your information or contact your administrator."
Resolution
Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshoot AWS CLI errors. Also, make sure that you're using the most recent AWS CLI version.
To assume the IAM role in a cross-account, first edit the permissions for the account that assumed the IAM role. Then, edit the trust policy in the other AWS account that allows the assumption of the IAM role.
In the following example, you have two accounts, one named Account_Bob and the other named Account _Alice. You also have an IAM user or role named Bob in Account_Bob, and an IAM role named Alice in Account_Alice. In this scenario, Bob will assume the IAM role that's named Alice.
To use the AssumeRole API call across multiple AWS accounts or cross-accounts, you must have a trust policy to grant permission to assume roles.
Example permissions required for Bob:
{ "Version": "2012-10-17",
"Statement": [
{
"Sid": "PermissionToAssumeAlice",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::Account_Alice:role/Alice"
}
]
}
Example trust policy required for Alice:
{ "Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::ACCOUNT_Bob:user/Bob"
},
"Action": "sts:AssumeRole"
}
]
}
Example AWS CLI command to assume a cross-account IAM role:
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name assume-cross-account
For more information, see How do I assume an IAM role using the AWS CLI?
To avoid errors when you assume a cross-account IAM role, make sure that you follow these best practices for your use case:
- The assuming role, Bob, must have permissions for the API action AssumeRole.
- You must be signed in to the AWS account as Bob. For more information, see Using an alias for your AWS account ID.
- The role being assumed, Alice, must exist. Make sure that it's not deleted and that the Amazon Resource Name (ARN) is configured correctly.
- If you use role chaining, then make sure that you don't use IAM credentials from a previous session. For more information, see the role chaining section in roles terms and concepts.
- If Account_Bob is part of an AWS Organizations, there might be a service control policy (SCP) that restricts AssumeRole access with Account_Bob or Account_Alice. Make sure that you edit or remove the SCP that restricts access with Account_Bob or Account_Alice. For more information, see SCPs.
Related information
How can I get data to assist in troubleshooting IAM permission access denied or unauthorized errors?
Switch from a user to an IAM role (console)
Switching to an IAM role (AWS CLI)