How to Fix AWS IAM Role Assume Role Access Denied
In this tutorial, you'll learn about How to Fix AWS IAM Role Assume Role Access Denied. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.
You try to assume an IAM role and get AccessDenied: User is not authorized to perform sts:AssumeRole — the trust policy or permissions are misconfigured.
Step-by-Step Fix
1. Check the role trust policy
aws iam get-role --role-name MyCrossAccountRole --query 'Role.AssumeRolePolicyDocument'
Expected output:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:user/remote-user"},
"Action": "sts:AssumeRole]
}
]
}
2. Update the trust policy
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": "arn:aws:iam::123456789012:root"},
"Action": "sts:AssumeRole",
"Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
}
]
}
Apply it:
aws iam update-assume-role-policy --role-name MyCrossAccountRole --policy-document file://trust-policy.json
3. Add permissions policy to the role
aws iam put-role-policy --role-name MyCrossAccountRole --policy-name S3Access --policy-document file://permissions.json
4. Assume the role
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyCrossAccountRole --role-session-name TestSession
Expected output:
{
"Credentials": {
"AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
"SessionToken": "IQoJb3JpZ2luX2VjEA...",
"Expiration": "2024-01-15T11:00:00Z"
}
}
5. Create a profile for the role
[profile cross-account]
role_arn = arn:aws:iam::123456789012:role/MyCrossAccountRole
source_profile = default
Common Mistakes
| Mistake | Fix |
|---|---|
| Trust policy lists wrong account | Use the correct source account ID |
| No MFA but policy requires it | Remove the MFA condition or enable MFA |
| User has no sts:AssumeRole permission | Attach a policy with sts:AssumeRole |
| Role name typo | Verify the exact role ARN |
| External ID mismatch | Add or match the ExternalId condition |
Prevention
- Always require MFA for cross-account role assumption.
- Use
aws:SourceIdentityfor additional security. - Limit trust policies to specific users, not entire accounts.
- Rotate access keys regularly.
Common Mistakes with iam role error
- Misunderstanding that
Stringis[Char]with poor performance for large text operations - Using
foldlinstead offoldl'causing stack overflow on large lists - Forgetting
deriving (Show, Eq)on custom data types needed for debugging
These mistakes appear frequently in real-world AWS code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.
Practice Exercise
Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.
This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.
FAQ
Built by the developers of DodaTech
Doda Browser, DodaZIP & Durga Antivirus Pro