AWS Identity and Access Management
User Guide

Troubleshooting IAM Roles

Use the information here to help you diagnose and fix common issues that you might encounter when working with IAM roles.

I cannot assume a role.

  • Verify that your IAM policy grants you privilege to call sts:AssumeRole for the role that you want to assume. The Action element of your IAM policy must allow you to call the AssumeRole action, and the Resource element of your IAM policy must specify the role that you want to assume. For example, the Resource element can specify a role by its Amazon Resource Name (ARN) or by using a wildcard (*). For example, at least one policy applicable to you must grant permissions similar to the following:

    "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::account_id_number:role/role-name-you-want-to-assume"

  • Verify that you meet all the conditions that are specified in the role's trust policy. A Condition can specify an expiration date, an external ID, or that a request must come only from specific IP addresses. In the following example, if the current date is any time after the specified date, then the policy never matches and cannot grant you the permission to assume the role.

    "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::account_id_number:role/role-name-you-want-to-assume" "Condition": { "DateLessThan" : { "aws:CurrentTime" : "2016-05-01T12:00:00Z" } }
  • Verify that the AWS account that you are calling AssumeRole from is a trusted entity for the role that you are assuming. Trusted entities are defined as a Principal in a role's trust policy. The following example is a trust policy attached to the role you want to assume. In this example, the account ID with the IAM user you signed-in with must be 123456789012. If your account number is not listed in the Principal element of the role's trust policy, then you cannot assume the role, no matter what permissions are granted to you in access policies. Note that the example policy also requires that users who access the role must sign in using multi-factor authentication (MFA). If you do not sign-in as a user in the specified AWS account or by using an MFA device, then the policy does not match, and you cannot assume the role. Note that this requires you to use short-term credentials because long-term credentials like access keys do not work with MFA. So only IAM roles, federated users, AWS Management Console users (the console assigns short-term credentials on behalf of the user in the background), and IAM users that get temporary credentials by calling to sts:GetSessionToken first.

    "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }