FLR or Copy to S3 with Exception: could not assume role

FLR or Copy to S3 with Exception: could not assume role

Issues:

When doing file level recovery(FLR) or copy to S3 operation in the same account, N2WS might need to assume its own role to generate a token for the worker, this could lead to the below error

ERROR:  get_instance_role_temp_credentials(aws_utils.py:1086)  Failed to creating temp credentials for instance role (account: General1, user Admin). Error: User: arn:aws:sts::862967128348:assumed-role/MyCPMRole/i-0ecdce71be1f610a9 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::862967128348:role/MyCPMRole
ERROR:  task_to_dict(backup_copy_manager.py:82)  Exception occurred
Traceback (most recent call last):
  File "./cpmserver/cpm/backup_copy/backup_copy_manager.py", line 80, in task_to_dict
  File "./cpmserver/cpm/backup_copy/s3_copy.py", line 1102, in backup_copy_task_to_dict
  File "./cpmserver/cpm/backup_copy/copy_to_s3_common.py", line 74, in account_credentials_to_dict
Exception: could not assume role

Solution:
Due to AWS recent announcement about changing the IAM role trust policy behavior(https://aws.amazon.com/blogs/security/announcing-an-update-to-iam-role-trust-policy-behavior), You will need update the role to allow it to assume itself.

1. Go to IAM -> Role -> Trust relationships


2. Update the json to allow the role to assume itself, for example:
Before:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}
After:
{
                "Version": "2012-10-17",
                "Statement": [
                                {
                                                "Effect": "Allow",
                                                "Principal": {
                                                                "Service": "ec2.amazonaws.com"
                                                },
                                                "Action": "sts:AssumeRole"
                                },
                                {
                                                "Effect": "Allow",
                                                "Principal": {
                                                                "AWS": "arn:aws:iam::862967128348:role/MyCPMRole"
                                                },
                                                "Action": "sts:AssumeRole"
                                }
                ]
}

Note: you need to update the red with the account number and the role name