Why did I receive an "AccessDenied" or "Invalid information" error trying to assume a cross-account IAM role?

Last updated: 2021-07-30

I tried to assume a cross-account AWS Identity and Access Management (IAM) role. However, I received an error similar to the following:

"An error occurred (AccessDenied) when calling the AssumeRole operation:"

-or-

"Invalid information in one or more fields. Check your information or contact your administrator."

Short description

To assume the IAM role in another AWS account, first edit the permissions in one account (the account that assumed the IAM role). Then, edit the trust policy in the other account (the account that allows the assumption of the IAM role). For example, suppose you have two accounts, one named Account_Bob and the other named Account _Alice. You also have an IAM user or role named Bob in Account_Bob, and an IAM role named Alice in Account_Alice. In this scenario, Bob will assume the IAM role that's named Alice.

To use the AssumeRole API call with multiple accounts or cross-accounts, you must have a trust policy to grant permission to assume roles similar to the following:

Here's the example of the permissions required for Bob:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToAssumeAlice",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::Account_Alice:role/Alice"
        }
    ]
}

And here's the example of the trust policy for Alice:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_Bob:user/Bob"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Resolution

It's a best practice to be sure of the following:

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

  • Bob has permissions for AssumeRole.
  • You're signed in to the AWS Account as Bob. For more information, see your AWS account ID and its alias.
  • If Account_Bob is part of an AWS Organizations, there might be a service control policy (SCP) restricting AssumeRole access with Account_Bob or Account_Alice. For more information, see service control policies (SCPs).
  • If you're using role chaining, you might be using IAM credentials from a previous session. For more information, see the role chaining section in roles terms and concepts.