I'm using a multi-account architecture using AWS Control Tower and AWS Organization. I have a master account with an IAM user called agent (with no policies attached and with only CLI access) and then I have another AWS account called dev where I have created a new role called workload-deployer (ARN -> arn:aws:iam::809348927750:role/workload-deployer ) with the following trust relationship:-
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::185288728304:user/agent"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
When I'm trying to assume this role and I'm getting the below error:-
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::185288728304:user/agent is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::809348927750:role/workload-deployer
The command which I'm running to assume the role:-
aws sts assume-role --role-arn arn:aws:iam::809348927750:role/workload-deployer --role-session-name "RoleSession1" --duration-seconds 900 --profile zm
In order to assume a role, you need permissions to exist in 2 places:
sts:AssumeRole
permission.It sounds like you are lacking the permission for #1.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.