An error occurred (AccessDenied) when calling the AssumeRole operation
I have a lambda function (lambda-get-details) created using the below IAM role in Account-A
Role name: lambdarole
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "arn:aws:logs:*:*:*",
"Effect": "Allow"
},
{
"Action": [
"config:PutEvaluations",
"ec2:DescribeImages",
"sts:AssumeRole"
],
"Resource": "*",
"Effect": "Allow"
}
]
}
The same IAM role name (lambdarole) is created in different accounts as well like Account-B
Now the lambda function from Account-A needs to get details from Account-B for example (List of AMI's) and we are getting the below error
"errorMessage": "An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::Account-A:assumed-role/lambdarole/lambda-get-details is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::Account-B:role/lambdarole
Can someone help me solving the above issue.
Any help would be appreciated
Thanks
Answer
In Account-A, the policy of lambdarole allows role assumption to any role ARN's (including roles in Account-B). This is taken care by this statement
{
"Action": [
"sts:AssumeRole"
],
"Resource": "*",
"Effect": "Allow"
}
Similarly in Account-B, the role lambdarole should contain a trust policy which allows role assumption from Account-A.
Add the AccountID or the lambdarole Role ARN of Account-A as the Principal in the Account-B's lambdarole's AssumeRolePolicyDocument.
The AssumeRolePolicyDocument would look like this (if account ID is used as Principal),
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect" : "Allow",
"Action": "sts:AssumeRole",
"Principal": {
"AWS" : "<Account-ID-of-Account-A>"
}
}
]
}
You can refer here to understand how cross account access is established with IAM roles.