- Newest
- Most votes
- Most comments
Hey RK,
So there are 3 places that a deny could be occurring, here:
- The role making the "AssumeRole" call doesn't have the explicit permission, or has been explicitly denied.
- The role being assumed doesn't permit "AssumeRole" at all, or specifically from the assuming role.
- An SCP is in place on your organisation which prevents this call from being made. If the 2 roles are in 2 separate AWS Organizations, then it could be an SCP in either.
Remember to bear in mind that a deny could be coming from not only an explicit deny statement, but also implicitly - because everything is implicitly denied by default on AWS. You may have a Condition block in a permission policy on the source role which grants access to "AssumeRole", but it could be incorrectly written and thus result in an implicit deny, because no permission is actually been given to it to make the call against the target role. Using the IAM Policy Simulator might be a good shout, here, or even IAM Access Analyzer.
If you're getting an error message in the console, it should also tell you where the deny is coming from - IAM policy, trust relationship, or SCP, which can help you narrow your search.
If all else fails, I would then say that you're going to need to start sharing some JSON from the roles - namely the statement granting access to "AssumeRole", the Trust Relationship allowing the role to be assumed, and any SCP or Permission Boundary that may be associated with either role. If you do add JSON to a comment, please make sure that you redact any account-sensitive/specific information, such as resource unique IDs and account numbers - both typically found in ARNs.
Relevant content
- asked a year ago
- asked 7 months ago
- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 2 years ago
- AWS OFFICIALUpdated 3 years ago