Why did I receive an "AccessDenied" or "Invalid information" error trying to assume an IAM role?

Last updated: 2020-06-16

I tried to assume an AWS Identity and Access Management (IAM) role. However, I received an error similar to the following:

"An error occurred (AccessDenied) when calling the AssumeRole operation:"

-or-

"Invalid information in one or more fields. Check your information or contact your administrator."  

Short description

To assume the IAM role in another AWS account, first edit the permissions in one account (the account that assumed the IAM role). Then, edit the trust policy in the other account (the account that allows the assumption of the IAM role). For example, suppose you have two accounts, one named Account_Bob and the other named Account _Alice. You also have two IAM users or roles, one named Bob and the other named Alice. In this scenario, Bob will assume the IAM role that's named Alice.

To use the AssumeRole API call with multiple accounts or cross-accounts, you must have a trust policy to grant permission to assume roles similar to the following:

Here's the example of the permissions required for Bob:  

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToAssumeAlice",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::Account_Alice:role/Alice"
        }
    ]
}

And here's the example of the trust policy for Alice:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_Bob:user/Bob"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Resolution

It's a best practice to be sure of the following:

  • Bob has permissions for AssumeRole.
  • You're signed into the AWS Account as Bob. For more information, see your AWS account ID and its alias.
  • If Account_Bob is part of an AWS Organizations, there might be a service control policy (SCP) restricting AssumeRole access with Account_Bob or Account_Alice. For more information, see service control policies (SCPs).
  • If you're using role chaining, you may be using IAM credentials from a previous session. For more information, see the role chaining section in roles terms and concepts.