Aws cli - Role chaining - Use a master role in primary account to assume a secondary role in other account
Question
I need to assume a temp role in a secondary account from a primary account. For primary account I already have a role which has an assume role policy for the temp role in secondary role. But when I am executing the command
aws sts assume-role --role-arn ${primaryRoleArn} --role-session-name ${awsProfile}
I am getting this error
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::xxxxxxx:user/primary is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::secondaryAccount:role/secondary_role
What I am doing wrong?
1 answers
solution1
0 2022-04-11 15:17:00
Your credentials in your ~/.aws/credentials file must be explicitly allowed to assume this role. So in primary role trust policy, you must add your username to allowed assumption.
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::${AccountId}:user/${AwsUserName}"
},
"Action": "sts:AssumeRole"
}
]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.
Related Question
Boto3: How to assume IAM Role to access other account
How to Assume a Cross-Account Role for Cognito?
AWS Assume Role STS
IAM role to access services of another AWS account
Switch profile/account/role in AWS Lambda
Can't assume role in AWS CLI, even with trust relationship
AWS Cross-account Role with OpenID Connect
Default Service Account Editor Role
AWS GraphQL Appsync - unable to assume role
AWS: STS Assume Role not working for user
Related Tags