Not authorized to perform: sts:AssumeRole on resource

Question

I'm trying to use kubectl to work on a EKS Cluster created from an other user. I followed the different instructions from the documentation to create the kube config file with the command : aws eks --region eu-central-1 update-kubeconfig --name internal --role-arn arn:aws:iam::xxxxxxxxxx:role/eks_role_internal.

Then when i try to test the configuration (kubectl get svc), i'm getting the error :

could not get token: AccessDenied: User: arn:aws:iam::xxxxxxxxxxxx:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxx:role/eks_role_internal

Here is the config for the Policy :

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::xxxxxxxxxxx:role/eks_role_internal"
        }
    ]
}

And the trust relationship of the role :

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": [
          "eks.amazonaws.com",
          "ec2.amazonaws.com"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Answer 1

The first reason getting this error message is misconfigured Trusted relationship on a role that is going to be assumed.

I also was seeing this error when the attached condition in the trusted relationship of having MFA wasn't met:

"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}

AWS cli isn't smart enough to see this case and ask for the MFA code, it just throws that error message.