How can I resolve issues with switching IAM roles using the AWS Management Console?

Last updated: 2022-04-05

I tried to switch AWS Identity and Access Management (IAM) roles using the AWS Management Console and received and error similar to the following:

"Invalid information in one or more fields. Check your information or contact your administrator".

Short description

This error can occur because of:

  • Incorrect AssumeRole action permissions
  • Incorrect IAM trust policy
  • Explicit deny from policies
  • Incorrect Account ID or role name
  • Requiring external ID to switch roles
  • Incorrect trust policy conditions

Resolution

Follow these instructions to verify the IAM policy configuration to switch IAM roles for your scenario.

Missing or incorrect AssumeRole action permissions

To switch to an IAM role, the IAM entity must have AssumeRole action permission. The IAM entity must have a policy with AssumeRole action permission similar to the following:

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::account_id_number:role/role-name-you-want-to-assume"  
}

Make sure that the resource matches the Amazon Resource Name (ARN) of the IAM role that you want to switch to. For more information, see Granting a user permissions to switch roles.

IAM role trust policy doesn't trust the IAM user’s account ID

The IAM role trust policy defines the principals that can assume the role Verify that the trust policy lists the IAM user’s account ID as the trusted principal entity. For example, an IAM user named Bob with account ID 111222333444 wants to switch to an IAM role named Alice for account ID 444555666777. The account ID 111222333444 is the trusted account, and account ID 444555666777 is the trusting account. The IAM role Alice has a trust policy that trusts Bob similar to the following:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Principal": {
                "AWS": “<111222333444>
            },
            "Condition": {}
        }
    ]
}

Note: It's a best practice to follow the principle of least privilege and specify the complete ARN for only the roles that the user needs.

For more information, see Modifying a role trust policy (console).

Explicit deny from service control policies (SCPs) or an IAM policy

If your AWS account is a part of an AWS Organizations, then your management account might have SCPs. Make sure that there is no explicit deny from the SCPs for the AssumeRole action. Check for SCPs that deny API actions based on AWS Regions. AWS Security Token Service (AWS STS) is a global service that must be included in the global service exclusion list. Make sure that there isn't any explicit deny from the IAM policies, because "deny" statements take precedence over "allow" statements.

For more information, see Deny access to AWS based on the requested AWS Region.

Verify the AWS account ID and IAM role name

Verify that the account ID and IAM role name are correct on the switch role page. The account ID is a 12-digit identifier, and the IAM role name is the name of the role that you want to assume.

For more information, see Things to know about switching roles in the console.

Requiring external ID to switch to the IAM role

Administrators can use an external ID to give third-party access to AWS resources. You can't switch IAM roles in the AWS Management Console to a role that requires an ExternalId condition key value. You can switch to IAM roles only by calling the AssumeRole action that supports the ExternalId key.

For more information, see How to use an external ID when granting access to your AWS resources to a third party.

Valid conditions on the IAM role trust policy

Verify that you meet all the conditions that are specified in the IAM role's trust policy. A condition can specify an expiration date, an external ID, or that requests must come only from specific IP addresses. In the following example policy, If the current date is any time after the specified date, then the condition is false. The policy can't grant permissions to assume the IAM role.

"Effect": "Allow",
    "Action": "sts:AssumeRole",
    "Resource": "arn:aws:iam::account_id_number:role/role-name-you-want-to-assume"
    "Condition": {
        "DateLessThan" : {
            "aws:CurrentTime" : "2016-05-01T12:00:00Z"
        }
    }