I'm trying to assume role in awscli with my user (from a federated account), but I can't.
Every time that I run this command:
% aws sts assume-role --role-arn “arn:aws:iam::123456789012:role/eksServiceRole” --role-session-name "my_test"
I receive this error:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789012:assumed-role/AzureAD_AWS_Admin/[email protected] is not authorized to perform: sts:AssumeRole on resource: “arn:aws:iam::123456789012:role/eksServiceRole”
I have added my account as a trust relationship to this role, but still nothing works:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:sts::123456789012:assumed-role/AzureAD_AWS_Admin/[email protected]",
"arn:aws:iam::123456789012:root"
],
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
},
]
}
I have tried the same thing for this role, but still it doesn't work.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::123456789012:root",
"arn:aws:sts::123456789012:assumed-role/AzureAD_AWS_Admin/[email protected]"
]
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "2ffd8b2c3d8edaf02104a081af4b78d82f6e770f"
}
}
}
]
}
I also have STS activated for all regions.
I tried for different roles and users, but I could never run a command because of this assumerole. I just need to do that to proceed with my project (a Gitlab EKS Cluster integration to install metrics server).
I'm struggling with that for days and I have tried every solution here in stack overflow.
I have solved it!
It was missing the externalId. In this case, for these roles, they were created with this externalId from a third-party application (Gitlab).
So I put the
--external-idparameter in everything runned gracefully: