Why did I receive an "AccessDenied" or "Invalid information" error trying to assume a cross-account IAM role?
3 minute read
I tried to assume a cross-account AWS Identity and Access Management (IAM) role. However, I received an error similar to the following:
"An error occurred (AccessDenied) when calling the AssumeRole operation:"
"Invalid information in one or more fields. Check your information or contact your administrator."
To assume the IAM role in another AWS account, first edit the permissions in one account (the account that assumed the IAM role). Then, edit the trust policy in the other account (the account that allows the assumption of the IAM role).
For example, suppose you have two accounts, one named Account_Bob and the other named Account _Alice. You also have an IAM user or role named Bob in Account_Bob, and an IAM role named Alice in Account_Alice. In this scenario, Bob will assume the IAM role that's named Alice.
To use the AssumeRole API call with multiple accounts or cross-accounts, you must have a trust policy to grant permission to assume roles similar to the following:
Here's the example of the permissions required for Bob:
If you're using role chaining, make sure that you're not using IAM credentials from a previous session. For more information, see the role chaining section in roles terms and concepts.
If Account_Bob is part of an AWS Organizations, there might be a service control policy (SCP) restricting AssumeRole access with Account_Bob or Account_Alice. For more information, see service control policies (SCPs).