Step by step rundown to troubleshoot AWS cross-account assume role issues.
AWS cross-account role access is one of the most common use cases in cloud environments and is always a headache to troubleshoot if one is not familiar enough with IAM. In this article, we will walk you through step by step procedure to drill down into the root cause of why AWS cross-account IAM role access is not working.
Typically, you will be seeing error messages like –
An error occurred (AccessDeniedException) when calling the xxx operation: User: arn:x....x is not authorized to perform xxx:xxx on resource arn:x....x because no resource-based policy allows the xxx:xxx action.
Let’s formalise the legends for a better understanding of the below steps:
account1is the account from which role assume request is initiated
account2is the account in which target
role2exists and IAM entity from
account1is trying to assume it.
- IAM entity from
account1can be IAM user or role.
Consider below steps/points that will help you troubleshoot cross-account access issues.
account1IAM entity (user/role)should have permission
sts:AssumeRoledefined in IAM policy attached to it. If it has some
conditionattached to it, those conditions must be satisfied in the assume call.
account2‘s IAM role
role2should have trust policy defined. This trust policy should trusts (
account1‘s IAM entity (user/role) which is initiating the assume call.
- If trust policy is having
conditionfield), then assume call should be satisfying those conditions.
account2‘s IAM role must have permissions properly defined that account1’s IAM entity want to use in
Or you can go through the below flow chart and drill down to the root cause of your problem!