How to assume an AWS role from another AWS role?

Prashant picture Prashant · Nov 17, 2016 · Viewed 21.4k times · Source

I have two AWS account - lets say A and B.

In account B, I have a role defined that allow access to another role from account A. Lets call it Role-B

  "Version": "2012-10-17",
  "Statement": [
     "Effect": "Allow",
     "Principal": {
         "AWS": "arn:aws:iam::********:role/RoleA"
    "Action": "sts:AssumeRole"

In account A, I have defined a role that allows the root user to assume role. Lets call it Role-A

  "Version": "2012-10-17",
  "Statement": [
     "Effect": "Allow",
     "Principal": {
         "AWS": "arn:aws:iam::********:root"
    "Action": "sts:AssumeRole"

Role A has the following policy attached to it

    "Version": "2012-10-17",
    "Statement": [
            "Action": "sts:AssumeRole",
            "Resource": "arn:aws:iam::****:role/RoleB",
            "Effect": "Allow"

As a user in account A, I assumed the Role-A. Now using this temporary credential, I want to assume the Role-B and access the resource owned by account B. I have the below code

client = boto3.client('sts')

firewall_role_object = client.assume_role(

firewall_credentials = firewall_role_object['Credentials']

firewall_client = boto3.client(
    aws_session_token=firewall_credentials['SessionToken'], )

optimizely_role_object = firewall_client.assume_role(


This code works for the set of roles I got from my client but is not working for the roles I defined between two of the AWS account I have access to.


Prashant picture Prashant · Nov 17, 2016

Finally got this working. The above configuration is correct. There was a spelling mistake in the policy.

I will keep this question here for it may help someone who want to achieve double hop authentication using roles.