Why did I receive an "AccessDenied" or "Invalid information" error trying to assume a cross-account IAM role?

3 minute read
1

I tried to assume a cross-account AWS Identity and Access Management (IAM) role. However, I received an error similar to the following: "An error occurred (AccessDenied) when calling the AssumeRole operation:" -or- "Invalid information in one or more fields. Check your information or contact your administrator."

Short description

To assume the IAM role in another AWS account, first edit the permissions in one account (the account that assumed the IAM role). Then, edit the trust policy in the other account (the account that allows the assumption of the IAM role).

For example, suppose you have two accounts, one named Account_Bob and the other named Account _Alice. You also have an IAM user or role named Bob in Account_Bob, and an IAM role named Alice in Account_Alice. In this scenario, Bob will assume the IAM role that's named Alice.

To use the AssumeRole API call with multiple accounts or cross-accounts, you must have a trust policy to grant permission to assume roles similar to the following:

Here's the example of the permissions required for Bob:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "PermissionToAssumeAlice",
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::Account_Alice:role/Alice"
    }
  ]
}

And here's the example of the trust policy for Alice:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::ACCOUNT_Bob:user/Bob"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Resolution

To avoid errors when assuming a cross-account IAM role, keep the following points in mind:

Note: If you receive errors when running AWS Command Line Interface (AWS CLI) commands, make sure that you’re using the most recent AWS CLI version.

  • The assuming role, Bob, must have permissions for AssumeRole.
  • You must be signed in to the AWS account as Bob. For more information, see your AWS account ID and its alias.
  • The role being assumed, Alice, must exist. Make sure that it's not deleted and that the ARN is configured correctly.
  • If you're using role chaining, make sure that you're not using IAM credentials from a previous session. For more information, see the role chaining section in roles terms and concepts.
  • If Account_Bob is part of an AWS Organizations, there might be a service control policy (SCP) restricting AssumeRole access with Account_Bob or Account_Alice. For more information, see service control policies (SCPs).

Related information

How can I get data to assist in troubleshooting IAM permission access denied or unauthorized errors?

Switching to a role (console)

Switching to an IAM role (AWS CLI)

1 Comment

Its indeed a great article to follow if you are facing permission issues in assuming cross-account IAM role. Informational

profile picture
replied 4 months ago