By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

AdminstratorAccess is not enough to assume a role using cli?

0

I've a IAM user It's part of group FullAdmins This group has the policy 'AdministratorAccess' This policy allows ALL actions on EVERY and EACH resources

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

I configured cli to use this iam user

But I cannot assume a role

aws sts assume-role --role-arn arn:aws:iam::888......380:role/cli --role-session-name prove-template-ipv6

I got

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::667.....831:user/myIamUserName is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::888...380:role/cli

Why?

My IAM user is exentially god ! can do everything it wants, but ... cannot assume role!??!

Topics
Security, Identity, & ComplianceManagement & Governance
Tags
AWS Identity and Access ManagementAWS Command Line InterfaceIAM Policies
Language
English
realtebo
asked 24 days ago404 views
2 Answers
2
Accepted Answer

Hello,

Here is an article explaining how you can allow an IAM user to assume a role in your AWS account: https://repost.aws/knowledge-center/iam-assume-role-cli

In order for an IAM user(arn:aws:iam::667.....831:user/myIamUserName) to assume the role (arn:aws:iam::888...380:role/cli). You must update the trust relationship policy of the role. This will enable the IAM user to assume a role.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::667.....831:user/myIamUserName"
    },
    "Action": "sts:AssumeRole"
  }
}
profile picture
Sivaraman Selvam
answered 24 days ago
profile picture
EXPERT
Oleksii Bebych
reviewed 24 days ago
1

This policy allows ALL actions on EVERY and EACH resources

Allows actions in your account only.

The error message User: arn:aws:iam::667.....831:user/myIamUserName is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::888...380:role/cli shows that the user in account 667.....831 is trying to assume a role in account 888...380

The steps to follow, in both accounts, are in https://repost.aws/knowledge-center/cross-account-access-iam

profile picture
EXPERT
Steve_M
answered 24 days ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content