- Newest
- Most votes
- Most comments
Hello Bigbmn,
Firstly, when you use the AWS CLI, and you've specified the role ARN in the configuration file as you've done, AWS CLI will try to assume that role when executing commands. This essentially means the CLI is requesting temporary credentials for that role to perform actions.
Your error indicates that there's an issue with the permissions associated with assuming that role.
Possible Solution: Adjust the trust relationship of the role. Here's a generic example of what it might look like:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
This is a basic trust policy that allows EC2 instances to assume the role. Depending on your architecture, you might want to narrow down which entities (e.g., specific EC2 roles) can assume this role.
After making adjustments, try the AWS CLI command again. If the issue persists, you might want to verify permissions and trust relationships in the AWS Management Console.
Hi, for the error "User: arn:aws:sts::123456:assumed-role/myrolename/i-12345 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/myrolename", it indicates that the assumed role session (arn:aws:sts::123456:assumed-role/myrolename/i-12345) tries to assume role myrolename again. When the IAM role myrolename is attached in an EC2 instance, by default, AWS CLI will be able to use that role to perform actions such as S3 operations so that there is no need to reconfigure the AWS CLI to assume the same IAM role.
Relevant content
- Accepted Answerasked 2 years ago
- asked a year ago
- AWS OFFICIALUpdated 25 days ago
- AWS OFFICIALUpdated 3 years ago
- AWS OFFICIALUpdated a year ago
Thanks for the response. The role I'm specifying in the config file, does have that exact Trust relationship.
So based on the error I was getting, I needed to adjust the Trusted entities to include the Role, not just the ec2 instances, as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com", "AWS": "arn:aws:iam::123456:role/myrole }, "Action": [ "sts:AssumeRole" ] } ] }
Which somewhat is confusing to me. The config file worked if I just had credential_source = Ec2InstanceMetadata
It originally failed when I added the role_arn to the config file, but then worked when I added that role to the Trust.
I'm only going down this path, as I want to use software which the goal is to work with Role Based access