Reputation: 39324
Assume AWS Role From User in Same Account
I'm a little confused about the requirements for assuming a role from an IAM user in the same AWS account.
Per this document: https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html:
If the user is in the same account as the role, then you can do either of the following:
Attach a policy to the user (identical to the previous user in a different account).
Add the user as a principal directly in the role's trust policy.
I explicitly added an assume-role policy to the group granted to my user and it could not assume the noted role:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::123456789:role/some-role-name"
}
}
Once I added the account number as a principal to the trust policy of the target role, it started working though:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com",
"AWS": "arn:aws:iam::123456789:root"
},
"Action": "sts:AssumeRole"
}
]
}
So, I'm confused for 2 reasons:
- Why didn't the first policy alone work given the documentation I've quoted?
- The second bullet in the documentation says "add the user as a principal". I think I added the whole account though instead of the user. What is the syntax for adding just this user? I didn't come across it in the documents I read.
Upvotes: 2
Views: 7643
Answers (1)
Reputation:
1) That looks fine to me, given that the account ID and the role name are correct. Can you add the exact error you're getting?
This is an actual example of one of my policies which let users who are granted this policy to assume the role developer in the accounts acc1, acc2, and acc3:
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::acc1:role/developer",
"arn:aws:iam::acc2:role/developer",
"arn:aws:iam::acc3:role/developer"
]
}
]
}
2) Instead of root, use the arn for the IAM user. Something along the lines of "arn:aws:iam::123456789:user/John"
Upvotes: 2
Related Questions
- How to assign a role to an iam user?
- Assume role IAM Role from within an SSM command
- Can IAM user be assumed from IAM Role within the same account?
- Can IAM user assume a role, if the user is not described in the Trust policy of the role?
- Assume one role from another in the AWS management console
- Modify EC2 service role so that it can be assumed by an IAM user in the same account
- AWS: Assinging IAM roles to IAM users
- IAM role based on an existing set of credentials from another account
- AWS Assume role with EC2 instance IAM role not working
- assume IAM roles using user name and password