AWS StsClient：用户无权执行：sts：资源上的AssumeRole

Question

By trying to get s3 object(of account1) from ec2 instance(of account2), the Sts session creation is failed with error: "User arn:aws:sts::99 *804963:assumed-role/i-9B6331541002 f46-us-west is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::85*****15:role/MyS3DataReadRole

To provide access to fetch s3 object:

1. I've created permission in account2 with GetObject access to the s3 object(arn).
2. I've provided trust relationship for the role, where Principal.AWS = arn:aws:sts::99* 804963:role/i-9B6331541002 f46-us-west

The only suspicious point here is "assumed-role" instead of "role" in the user instance arn. AFAIK The user arn is calculated automatically by AWS SDK automatically, but I can't understand why "assumed-" prefix is added before the "role". Ie in error message is mentioned: "arn:aws:sts::99 804963:assumed-role/i-9B6331541002 f46-us-west" but in trust relationship I've provided correct arn, ie "arn:aws:sts::99 804963:role/i-9B6331541002 f46-us-west"

Answer 1

You also have to create the assume role policy and attach it to the EC2 instance role (99*804963) so that EC2 instance role can have permissions to assume the role (85*****15:role) which has read permissions for the S3 object.

{ 
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::85*****15:role/MyS3DataReadRole"
        }
    ]
}

Please update the account id in the above policy with actual one.