aws sts assume-role gives AccessDenied

It sounds like there may be extra configuration in the CLI needed. I will post an example of where I have a similar configuration. Could I confirm a couple things. The sign in to Account 1 is done with IAM credentials that are configured in your CLI profile (profile1), and an mfa device is configured? Here is what I would use as a comparison

[profile profile1]
aws_access_key_id=xxxxxxxxxx
aws_secret_access_key=xxxxxxxxx

[profile profile2]
source_profile=profile1
role_arn=arn:aws:iam::<Account2 ID>:role/<assumed role name>
mfa_serial = arn:aws:iam::<Account1 ID>:mfa/<mfa device name> 

This removes the need to try aws sts assume-role, and just use --profile profile2 when running CLI commands across the assumed role into Account2. https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html

Another option may be using the aws sts get-session-token process described here https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/ which will get temporary credentials that can be used as environment variables.

Hi, thanks for the input.

Yes, the sign in is with IAM credentials, with an MFA device configured.

In the "IAM Account" (account 1) I have a policy like this, which is connected to my user:

{
    "Condition": {
        "Bool": {
            "aws:MultiFactorAuthPresent": "true"
        }
    },
    "Action": [
        "sts:AssumeRole"
    ],
    "Resource": [
        "arn:aws:iam::<account-2>:role/<rolename>"
    ],
    "Effect": "Allow"
}

In the role in account 2, there is a trust configured like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::<account-1>:root"
            },
            "Action": "sts:AssumeRole",
            "Condition": {
                "Bool": {
                    "aws:MultiFactorAuthPresent": "true"
                }
            }
        }
    ]
}

My ~/.aws/credentials contains data like this:

[default]
aws_access_key_id = <My IAM user's access key id>
aws_secret_access_key = <My IAM user's secred access key>

[profile-name]
role_arn = arn:aws:iam::<account-2>:role/<rolename>
source_profile = default
mfa_serial = arn:aws:iam::<account-1>:mfa/<My IAM user name>

I do have a named profile configured, which works as expected (I can for instance do aws s3 ls --profile profile-name to list S3 buckets in account 2). When I run aws sts assume-role I get the MFA prompt, but then the error.

I need to perform the aws sts assume-role command to harvest parts of the output, which is needed for another (non-AWS) tool. Also, the script will not always run in a context where there is a CLI configuration with named profiles. I am mostly curious about how I can get the error, when there are clearly policies at play that explicitly grant me that particular permission (which in my opinion is proven by the functioning aws s3 ls command, and my ability to assume the role in the web console). I just assume that I am missing something obvious here :-)

Hi, so after some verification I believe there's some extra parameters we have to add to the CLI command. The assume role command at the CLI should be in this format

aws sts assume-role --role-arn <role arn in Account2> --role-session-name <reference name for session> --serial-number <mfa virtual device arn> --token-code <one time code from mfa device>

This should output the json blob with temporary role credentials. This doesn't use that second profile, but is required to be able to retrieve the credentials.