AWS Identity and Access Management
User Guide

Troubleshooting IAM Roles

Use the information here to help you diagnose and fix common issues that you might encounter when working with IAM roles.

I Can't Assume a Role

  • Verify that your IAM policy grants you privilege to call sts:AssumeRole for the role that you want to assume. The Action element of your IAM policy must allow you to call the AssumeRole action, and the Resource element of your IAM policy must specify the role that you want to assume. For example, the Resource element can specify a role by its Amazon Resource Name (ARN) or by using a wildcard (*). For example, at least one policy applicable to you must grant permissions similar to the following:

    "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::account_id_number:role/role-name-you-want-to-assume"
  • Verify that you meet all the conditions that are specified in the role's trust policy. A Condition can specify an expiration date, an external ID, or that a request must come only from specific IP addresses. In the following example, if the current date is any time after the specified date, then the policy never matches and cannot grant you the permission to assume the role.

    "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::account_id_number:role/role-name-you-want-to-assume" "Condition": { "DateLessThan" : { "aws:CurrentTime" : "2016-05-01T12:00:00Z" } }
  • Verify that the AWS account that you are calling AssumeRole from is a trusted entity for the role that you are assuming. Trusted entities are defined as a Principal in a role's trust policy. The following example is a trust policy attached to the role you want to assume. In this example, the account ID with the IAM user you signed-in with must be 123456789012. If your account number is not listed in the Principal element of the role's trust policy, then you cannot assume the role, no matter what permissions are granted to you in access policies. Note that the example policy limits permissions to actions that occur between July 1, 2017 and December 31, 2017 (UTC), inclusive. If you log in before or after those dates, then the policy does not match, and you cannot assume the role.

    "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole", "Condition": { "DateGreaterThan": {"aws:CurrentTime": "2017-07-01T00:00:00Z"}, "DateLessThan": {"aws:CurrentTime": "2017-12-31T23:59:59Z"} }

I Can't Edit or Delete a Role in My IAM Account

When you include a service-linked role in your account, that role includes predefined trusts and permissions that are required by the service in order to perform actions on your behalf. You can create a service-linked role from within IAM, but because the role is linked to the service, you cannot customize the role within IAM. In the IAM console, when you view the Summary page for a role, the page includes a banner to indicate that the role is a service-linked role. You can manage and delete these roles only through the linked service. Be careful when modifying or deleting this role because doing so could remove permissions that the service needs to access AWS resources. See the AWS documentation for the service to learn how to modify or delete a role linked to that service.