Step by step rundown to troubleshoot AWS cross-account assume role issues.

AWS cross-account role access is one of the most common use cases in cloud environments and is always a headache to troubleshoot if one is not familiar enough with IAM. In this article, we will walk you through step by step procedure to drill down into the root cause of why AWS cross-account IAM role access is not working.

Typically, you will be seeing error messages like –

An error occurred (AccessDeniedException) when calling the xxx operation: User: arn:x....x is not authorized to perform xxx:xxx on resource arn:x....x because no resource-based policy allows the xxx:xxx action.

Let’s formalise the legends for a better understanding of the below steps:

• account1 is the account from which role assume request is initiated
• account2 is the account in which target role2 exists and IAM entity from account1 is trying to assume it.
• IAM entity from account1 can be IAM user or role.

Consider below steps/points that will help you troubleshoot cross-account access issues.

1. account1 IAM entity (user/role)should have permission sts:AssumeRole defined in IAM policy attached to it. If it has some condition attached to it, those conditions must be satisfied in the assume call.
2. account2‘s IAM role role2 should have trust policy defined. This trust policy should trusts (principal field) the account1 or account1‘s IAM entity (user/role) which is initiating the assume call.
3. If trust policy is having condition defined (condition field), then assume call should be satisfying those conditions.
4. account2‘s IAM role must have permissions properly defined that account1’s IAM entity want to use in account2.

Or you can go through the below flow chart and drill down to the root cause of your problem!