STS:AssumeRole Error after deployment

aws-samples / aws-iam-access-key-auto-rotation

This set of CloudFormation templates and Python scripts will set up an auto-rotation function that will automatically rotate your AWS IAM User Access Keys every 90 days.

MIT No Attribution

138 stars 130 forks source link

STS:AssumeRole Error after deployment #25

Open KWS-Blackout opened 1 year ago

KWS-Blackout commented 1 year ago

Running into the following error after deploying cloudformation for password rotation.

6858314d-cee5-4cf8-abfd-392603586515 Check that AccountID: [AccountID] has the correct IAM Role deployed to it via the CloudFormation Stack Template. Raw Error: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::AccountID:assumed-role/asa-iam-key-rotation-account-inventory-lambda-execution-role/ASA-Account-Inventory is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::AccountID:role/asa-iam-key-rotation-list-accounts-role

policy has assume role for specified role in error.

{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "lambda:InvokeFunction", "Resource": "*" }, { "Sid": "VisualEditor1", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::AccountID:role/asa-iam-key-rotation-list-accounts-role" } ] }

Pheels commented 1 year ago

I also ran into this issue - in order to fix you need to add the following permission to asa-iam-key-rotation-lambda-execution-role in your main deployment account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToAssumeRoles",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::${AccountA}:role/asa-iam-key-rotation-lambda-assumed-role",
                "arn:aws:iam::${AccountB}:role/asa-iam-key-rotation-lambda-assumed-role"
            ]
        }
    ]
}

denn0muk commented 1 year ago

A poorly documented solution from AWS. Have to figure out stuff to get it working

botscholar-scott commented 7 months ago

I'm running into this same error but for the main deployment account (just doing manual tests at this point). I added our account id to this new policy @Pheels pasted above that we attached to the asa-iam-key-rotation-lambda-execution-role to no avail.

botscholar-scott commented 7 months ago

But in our case we don't have the asa-iam-key-rotation-lambda-assumed-role that we are trying to assume on the main deployment account so perhaps there's an earlier step that doesn't make this role on the main account?

botscholar-scott commented 7 months ago

I missed the third bullet of 6.1, "If deployed via organizations, the root org account will not be included."

DNascimento99 commented 4 months ago

Has anyone managed to fix this problem?

nicocayetano commented 4 months ago

In our experience, the issue is not the IAM permission but the lambda function is performing an assume role on an invalid role arn: "arn:aws:iam:::role/asa-iam-key-rotation-list-accounts-role" error message: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::AccountID:assumed-role/asa-iam-key-rotation-account-inventory-lambda-execution-role/ASA-Account-Inventory is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:::role/asa-iam-key-rotation-list-accounts-role

It is missing the Account ID hence it is failing. I added aws_account_id='' and the AssumeRole request on the role went through and it started to assume other roles from other accounts. however still having issues with the other functions