AdminstratorAccess is not enough to assume a role using cli?

0

I've a IAM user It's part of group FullAdmins This group has the policy 'AdministratorAccess' This policy allows ALL actions on EVERY and EACH resources

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

I configured cli to use this iam user

But I cannot assume a role

aws sts assume-role --role-arn arn:aws:iam::888......380:role/cli --role-session-name prove-template-ipv6

I got

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::667.....831:user/myIamUserName is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::888...380:role/cli

Why?

My IAM user is exentially god ! can do everything it wants, but ... cannot assume role!??!

2 個答案
2
已接受的答案

Hello,

Here is an article explaining how you can allow an IAM user to assume a role in your AWS account: https://repost.aws/knowledge-center/iam-assume-role-cli

In order for an IAM user(arn:aws:iam::667.....831:user/myIamUserName) to assume the role (arn:aws:iam::888...380:role/cli). You must update the trust relationship policy of the role. This will enable the IAM user to assume a role.

{
  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Allow",
    "Principal": {
      "AWS": "arn:aws:iam::667.....831:user/myIamUserName"
    },
    "Action": "sts:AssumeRole"
  }
}
profile picture
專家
已回答 2 個月前
profile picture
專家
已審閱 2 個月前
1

This policy allows ALL actions on EVERY and EACH resources

Allows actions in your account only.

The error message User: arn:aws:iam::667.....831:user/myIamUserName is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::888...380:role/cli shows that the user in account 667.....831 is trying to assume a role in account 888...380

The steps to follow, in both accounts, are in https://repost.aws/knowledge-center/cross-account-access-iam

profile picture
專家
Steve_M
已回答 2 個月前

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南