Trying to follow AWS CLI documentation for EC2 Instance to access S3 Bucket


Attempting to utilize the AWS CLI documentation the following works: aws s3 ls s3://mybucketname

With the following is specified in conf file [default] region = us-east-1 credential_source = Ec2InstanceMetadata

I've setup a Role, policy and attached that to the instance

However, if I add the following that the documentation specifies [default] role_arn = arn:aws:iam::12345:role/myrolename region = us-east-1 credential_source = Ec2InstanceMetadata

aws s3 ls s3://mybucketname Will fail with An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456:assumed-role/myrolename/i-12345 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/myrolename

Why do I care that this syntax doesn't work, but he first one does? I'm using CLI to model some product behavior, that I need to specify a Role to Access a bucket. Figured this should work first

asked 9 months ago285 views
2 Answers

Hello Bigbmn,

Firstly, when you use the AWS CLI, and you've specified the role ARN in the configuration file as you've done, AWS CLI will try to assume that role when executing commands. This essentially means the CLI is requesting temporary credentials for that role to perform actions.

Your error indicates that there's an issue with the permissions associated with assuming that role.

Possible Solution: Adjust the trust relationship of the role. Here's a generic example of what it might look like:

  "Version": "2012-10-17",
  "Statement": [
      "Effect": "Allow",
      "Principal": {
        "Service": ""
      "Action": "sts:AssumeRole"

This is a basic trust policy that allows EC2 instances to assume the role. Depending on your architecture, you might want to narrow down which entities (e.g., specific EC2 roles) can assume this role.

After making adjustments, try the AWS CLI command again. If the issue persists, you might want to verify permissions and trust relationships in the AWS Management Console.

profile picture
answered 9 months ago
profile picture
reviewed a month ago
  • Thanks for the response. The role I'm specifying in the config file, does have that exact Trust relationship.

  • So based on the error I was getting, I needed to adjust the Trusted entities to include the Role, not just the ec2 instances, as follows: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "", "AWS": "arn:aws:iam::123456:role/myrole }, "Action": [ "sts:AssumeRole" ] } ] }

    Which somewhat is confusing to me. The config file worked if I just had credential_source = Ec2InstanceMetadata

    It originally failed when I added the role_arn to the config file, but then worked when I added that role to the Trust.

    I'm only going down this path, as I want to use software which the goal is to work with Role Based access


Hi, for the error "User: arn:aws:sts::123456:assumed-role/myrolename/i-12345 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456:role/myrolename", it indicates that the assumed role session (arn:aws:sts::123456:assumed-role/myrolename/i-12345) tries to assume role myrolename again. When the IAM role myrolename is attached in an EC2 instance, by default, AWS CLI will be able to use that role to perform actions such as S3 operations so that there is no need to reconfigure the AWS CLI to assume the same IAM role.

profile pictureAWS
answered 9 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content