IAM Role (arn:aws:iam::xxxxxxxxxxxx:role/demo) cannot be assumed

Bhavesh · November 1, 2022, 12:40pm

I have created an assume role 2 months back in a dev account and update my root user in trust relationship . Terraform was working fine with that configuration

Now I have done the same thing , but while running terraform plan , am getting this error ,

Error: operation error STS: AssumeRole, https response error StatusCode: 403, RequestID: c0e2ae10-cbaf-44b3-9ecc-16e180405088, api error AccessDenied: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/demo/aws-go-sdk-1667304405742939100 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:role/demo

I dont know whats the reason , the roles and trust relationship were exactly same , but may I know whats the reason for this error?

gstotts · November 3, 2022, 9:49pm

I’d take a look here: Granting a user permissions to switch roles - AWS Identity and Access Management

It sounds like your user does not have the ability to assume the role (sts:AssumeRole permission). Check that the trusted relationships includes a statement like:

{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:sts::xxxxxxxxxxxx:assumed-role/demo/aws-go-sdk-1667304405742939100"
  },
  "Action": "sts:AssumeRole"
}

Bhavesh · November 22, 2022, 1:51pm

aws-go-sdk-1667304405742939100 , but here , this “1667304405742939100” number is keep on changing whenever I give terraform plan

Bhavesh · January 6, 2023, 12:47pm

Hi , hope anyone can help me to sort this out . Waiting for a long time for the team to help me.

mightybs · January 24, 2023, 9:40pm

This portion of the Role ARN, aws-go-sdk-1667304405742939100, is just a session name, and it will keep changing when a new STS token is requested. It has no bearing on the role being assumed.

Back to what @ gstotts was saying, based on the error, it sounds like the IAM user “demo” does not have permissions to assume the demo role.