AWS IAM | Cannot Assume Role created on the same "session" (InvalidInputException)

Question

This has happened to me on multiple occasions and I can't for the life of me figure out why. Examples:

• Boto3 script: If I create a role and then try to assume it i will get an error. BUT if the role is already created the service can assume it fine.

• Ansible playbook: If I run a playbook which first creates the roles and then I try to assign them, i will get an error. BUT if i first run a different playbook and then the one that assigns the roles, everything is fine.

I have tried waiting to make sure the role is created, but i still got the error. The error is:

"An error occurred (InvalidInputException) when calling the CreateCrawler operation: Service is unable to assume role arn:aws:iam::<acc_id>:role/GlueReadS3. Please verify role's TrustPolicy"

The weird thing is, the same role can be assumed by CloudFormation just fine.

{
    "Version": "2012-10-17",
    "Statement": [{
        "Effect": "Allow",
        "Principal": {
            "Service": "glue.amazonaws.com"
        },
        "Action": "sts:AssumeRole"
    }]
}

I should mention that the boto3 error also returned the Role ARN (so I'm assuming that it was created) and also that I made a get_role beforehand to get the ARN it also did not work

Answer 1

Maybe you can check the role in IAM, in my case, I thought I created a role like arn:aws:iam::<acc_id>:role/GlueReadS3, but I then go to IAM and checked, it was actually arn:aws:iam::<acc_id>:role/service-role/GlueReadS3.