Skip to content

How to Fix AWS IAM Role Assume Role Access Denied

DodaTech Updated 2026-06-24 2 min read

In this tutorial, you'll learn about How to Fix AWS IAM Role Assume Role Access Denied. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

You try to assume an IAM role and get AccessDenied: User is not authorized to perform sts:AssumeRole — the trust policy or permissions are misconfigured.

Step-by-Step Fix

1. Check the role trust policy

aws iam get-role --role-name MyCrossAccountRole --query 'Role.AssumeRolePolicyDocument'

Expected output:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::123456789012:user/remote-user"},
            "Action": "sts:AssumeRole]
        }
    ]
}

2. Update the trust policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {"AWS": "arn:aws:iam::123456789012:root"},
            "Action": "sts:AssumeRole",
            "Condition": {"Bool": {"aws:MultiFactorAuthPresent": "true"}}
        }
    ]
}

Apply it:

aws iam update-assume-role-policy --role-name MyCrossAccountRole --policy-document file://trust-policy.json

3. Add permissions policy to the role

aws iam put-role-policy --role-name MyCrossAccountRole --policy-name S3Access --policy-document file://permissions.json

4. Assume the role

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyCrossAccountRole --role-session-name TestSession

Expected output:

{
    "Credentials": {
        "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
        "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
        "SessionToken": "IQoJb3JpZ2luX2VjEA...",
        "Expiration": "2024-01-15T11:00:00Z"
    }
}

5. Create a profile for the role

[profile cross-account]
role_arn = arn:aws:iam::123456789012:role/MyCrossAccountRole
source_profile = default

Common Mistakes

Mistake Fix
Trust policy lists wrong account Use the correct source account ID
No MFA but policy requires it Remove the MFA condition or enable MFA
User has no sts:AssumeRole permission Attach a policy with sts:AssumeRole
Role name typo Verify the exact role ARN
External ID mismatch Add or match the ExternalId condition

Prevention

  • Always require MFA for cross-account role assumption.
  • Use aws:SourceIdentity for additional security.
  • Limit trust policies to specific users, not entire accounts.
  • Rotate access keys regularly.

Common Mistakes with iam role error

  1. Misunderstanding that String is [Char] with poor performance for large text operations
  2. Using foldl instead of foldl' causing stack overflow on large lists
  3. Forgetting deriving (Show, Eq) on custom data types needed for debugging

These mistakes appear frequently in real-world AWS code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

What is an IAM role trust policy?

A trust policy defines which principals (users, accounts, services) are allowed to assume the role. It is separate from the permissions policy. |||How do I assume a role from the AWS CLI? Use aws sts assume-role --role-arn <arn> --role-session-name <name> or configure a profile with role_arn and source_profile. |||Why does AssumeRole fail with MFA enabled? Ensure the CLI session is authenticated with MFA by using aws sts get-session-token with the --serial-number and --token-code parameters.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro