CODEWITHSUNDEEP
amazon-web-servicesamazon-iamassume-role
user2516739
user2516739

Reputation: 53

AWS Assume Role: "Invalid information in one or more fields."

I am planning to implement AssumeRole scenario so below is scenario

  1. user will have ability to create/stop Ec2 instances but not terminate.
  2. To terminate he has to assume role (role to be assumed Ec2FullAccess)

I have done the following

  1. Create a user Test1 with permission to start/stop/launch Ec2 instance and have provided permission to assume role (EC2FullAccess) below is the Policy for user

    {
        "Version": "2012-10-17",
        "Statement": [<br>
            {
                "Action": "ec2:*",
                "Effect": "Allow",
                "Resource": "*"
            },
            {
                "Effect": "Deny",
                "Action": "ec2:TerminateInstances",
                "Resource": "*"
            },
            {
                "Action": "sts:AssumeRole",
                "Effect": "Allow",
                "Resource": "arn:aws:iam::226904037275:role/EC2FullAccess"
            }
        ]
    }
  1. Create a role in same account with name EC2FullAccess which would give permission to terminate Ec2 instance Ec2FullAccess uses AmazonEC2FullAccess Permission Policy below is its Trust Policy
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Now when i login as IAM user Test1 and then click on switch role ,i provide below details

Account: 1234
Role: EC2FullAccess

When i click on Switch Role i get Below error
Invalid information in one or more fields. Check your information or contact your administrator.

What is that I am missing

Upvotes: 2

Views: 13665

Answers (1)

John Rotenstein
John Rotenstein

Reputation: 269101

You can create the Role this way:

  • Create Role
  • For Type of Trusted Entity, select Another AWS Account and enter the Account ID for the same account (it is displayed in the same menu as the 'Switch Role' command) -- This might seem odd, but it creates the correct principal in the Trust Policy.
  • Attach desired policies and Save

Then, use Switch Role.

By the way, assigning EC2FullAccess is probably overkill -- it gives permission to do anything in EC2, including deleting VPCs, deleting Amazon EBS volumes, changing network settings, etc. I suggest you create a specific policy that grants TerminateInstances permission, and possibly even reduce that down to specific instances (eg by tag or VPC).

Upvotes: 3

Related Questions