Permission check may fail with an error Could not assume role

Permission check may fail with an error "Could not assume role"

Issue:

Permission check may fail with this error message:

ERROR:  get_assume_role_credentials(aws_utils.py:1337)  Could not assume role arn arn:<AWS account ARN:RoleName> from account <CPM Account> (<CPM user>), reason User arn:<AWS account ARN:IAM User name> is not authorized to perform: sts:AssumeRole on resource: arn:arn:<AWS account ARN:RoleName>.


Description:

This issue happens because of lack of permissions for the IAM User to access the IAM Role or if there's no trust relationship between the assumed IAM Role side and the assuming IAM user or role.


Resolution:

Assign IAM User 'sts:AssumeRole'


  1. Download the ZIP file from this KB article: https://support.n2ws.com/portal/kb/articles/what-are-the-required-minimal-aws-permissions-roles-for-cpm-operation

  2. Follow the instructions from the article to apply the required permissions.


Configure trust relationship for the IAM Role to the assuming IAM User/Role.


  1. Log in to the AWS console using account where required IAM Role was created, and go to the Identity and Access Management (IAM).

  2. Go to 'Roles' and select the role which requires configuring trust relationship.

  3. Click 'Edit trust relationship'.

  4. Trust relationship should look like this:

{

  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:sts::012345678901:role/marketingit",
          "arn:aws:iam::987654321098:user/backupuser",
          "arn:aws:iam::567890123456:root"
        ]
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
      Please replace the account IDs and IAM usernames/roles with your account ID and IAM usernames/roles. Using the "root" option creates a trust relationship with all the IAM users/roles in that account.
      5. Click 'Update Trust Policy'


 You can also use this AWS KB article: https://docs.aws.amazon.com/cli/latest/userguide/cli-roles.html#cli-role-prepare instead of the above instructions.

After permissions and trust relationship has been set, please check if the initial issue has disappeared.