Role assumption trust policy

Hi,

If you are logged in as IAM user/role in Account A and want to assume IAM role in Account B, here is how the setup would look like:

Source Account: Account_A Target Account: Account_B

• Account A user/role must have this policy attached:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Action": [
            "sts:AssumeRole"
        ],
        "Resource": [
            "arn:aws:iam::Account_B:role/Account_B_Role_to_be_Assumed"
        ]
        }
    ]
    }
  

• Account B role must have this trust policy:

    {
    "Version": "2012-10-17",
    "Statement": [
        {
        "Effect": "Allow",
        "Principal": {
            "AWS": "arn:aws:iam::Account_A:user/Account_A_User"                <---  "AWS": "arn:aws:iam::Account_A:role/Account_A_Role" if logged in Account_A via IAM role
        },
        "Action": "sts:AssumeRole"
        }
    ]
    }
  

Please refer re:Post Knowledge Center Article, which has step by step guide for assume role.

Hope this helps.

Comment here if you have additional questions, happy to help.

Abhishek

Hi Thanks!!

I've tried this but still I get the same error. This is my case: I am a selling partner in Amazon, so, in order to get some data from my selling partner account, I am using the sp_api from python libraries.

However, when I try to get some orders data using my credentials (refresh_token, lwa_app_id, lwa_client_secret, aws_secret_key and role_arn= 'arn:aws:iam::xxxxxxxxxxxx:user/jose' ), I get the following error:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::xxxxxxxxxxxx:user/jose is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxx:user/jose

How can I fix this?