By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Role chaining problem (aws console role-chaining)

0

Hi, Im trying to achieve the "role chaining" as in the https://aws.plainenglish.io/aws-iam-role-chaining-df41b1101068 i have an user admin-user-01 with policy assigned:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<accountid>:role/admin_group_role"
    }
}

I have a role, which is meant for admin-user-01, with role_name = admin_group_role and trust policy =

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<accountid>:user/admin-user-01"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

And it also has a policy:

{
    "Version": "2012-10-17",
    "Statement": {
        "Effect": "Allow",
        "Action": "sts:AssumeRole",
        "Resource": "arn:aws:iam::<accountid>:role/test-role"
    }
}

Then, i have another role, which is assigned for the role above (admin_group_role), with role_name = test-role and trust policy =

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<accountid>:role/admin_group_role"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

But when i login as admin-user-01 into account, then switch to the role admin_group_role and then try to switch to role test-role

i get : Invalid information in one or more fields. Check your information or contact your administrator.

P.S everywhere <accountid> is the same, all of the roles,users,permissions are created in the same account ( what, i suppose might be the reason why i face the error )

What am i doing wrongly?

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Management ConsoleIAM Policies
Language
English
Joann Babak
asked 2 years ago698 views
2 Answers
0
Accepted Answer

I tried to do "double switch role" in aws web console, which apparently is not supported, in aws cli everything works fine (https://www.reddit.com/r/aws/comments/rxgjbs/iam_role_chaining_via_console/hriu0mr/)

Joann Babak
answered 2 years ago
0

Looking in the > documentation < that error shows up midway down the troubleshooting. Without knowing if you're doing this in a corporate account or if you're the full blown admin, there are some steps you can trace in that link. Hope that helps.

AWS
Dan_H
answered 2 years ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content