Not authorized to perform: sts:AssumeRole

Question

Hello guy's,

Try to build application with usage custom library:
https://sp-api-docs.saleweaver.com/

And receive:
ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::*** is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::***

In the AWS console -> IAM -> Users 
Add to Permissions policies:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "AssumeRole",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "*"
        }
    ]
}

In the AWS console -> IAM -> Roles
Add Trust relationships:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::***"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

Can you show me the correct way to authorize AssumeRole for arn:iam user ?

Accepted Answer

Also one other thing to check is
https://repost.aws/knowledge-center/iam-assume-role-cli
Try working this out on the command line first often helps me understand if the policy is setup correctly.

Let me know if you have any issues with this, or if it helps you then please accept my answer after you've tried it out - it would be much appreciated! Good luck :)

Answer

you can follow these articles at first

https://stackoverflow.com/questions/41337079/how-enable-access-to-aws-sts-assumerole

**Create a policy to allow the action AssumeRole:**

Open the IAM console at https://console.aws.amazon.com/iam/.
In the navigation pane, choose Policies. then Create Policy 
On the Visual editor tab, choose Choose a service, find and choose STS.
For Actions, find and choose AssumeRole.
Choose Resources, then choose Any.
Choose Review policy.
For Name, enter a name for your policy, such as AllowAssumeRole, and then choose Create policy.
You've now created a policy that allows the sts:AssumeRole action on any resource.

**Attach the policy to your IAM user:**

In the navigation pane of the IAM console, choose Users.
Find and choose your user.
Choose the Permissions tab, and then choose Add permissions.
Choose Attach existing policies directly.
Find the AllowAssumeRole policy that you created in the previous step, select its check box, and then choose Next: Review.
Choose Add permissions.
You've now attached the policy that allows the sts:AssumeRole action to your user.

**Update the trust policy for the role to include your IAM user:**

In the navigation pane of the IAM console, choose Roles.
Find and choose your role.
Choose the Trust relationships tab, and then choose Edit trust relationship.
In the policy document, add a statement that allows your user to assume the role. The statement should look like this:

```
{
  "Effect": "Allow",
  "Principal": {
    "AWS": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:user/YOUR-USER-NAME"
  },
  "Action": "sts:AssumeRole"
}
```

Choose Update Trust Policy.

The IAM user should now be able to assume the role. If you're still having trouble, there might be a permissions boundary or SCP (Service Control Policy) that is preventing the action. You might also want to check if there is any conditional policy that might be preventing the action.

Also, keep in mind that the role's trust policy must grant the sts:AssumeRole permission to the entity that is assuming the role, and the entity that is assuming the role must also have the sts:AssumeRole permission to assume the role. This is a two-way permission requirement.

Not authorized to perform: sts:AssumeRole

Relevant content