Can't assume role in AWS CLI, even with trust relationship

1.5k views Asked by At

I'm trying to assume role in awscli with my user (from a federated account), but I can't.

Every time that I run this command:

% aws sts assume-role --role-arn “arn:aws:iam::123456789012:role/eksServiceRole” --role-session-name "my_test"

I receive this error:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::123456789012:assumed-role/AzureAD_AWS_Admin/[email protected] is not authorized to perform: sts:AssumeRole on resource: “arn:aws:iam::123456789012:role/eksServiceRole”

I have added my account as a trust relationship to this role, but still nothing works:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:sts::123456789012:assumed-role/AzureAD_AWS_Admin/[email protected]",
          "arn:aws:iam::123456789012:root"
        ],
        "Service": "eks.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    },
  ]
}

I have tried the same thing for this role, but still it doesn't work.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": [
          "arn:aws:iam::123456789012:root",
          "arn:aws:sts::123456789012:assumed-role/AzureAD_AWS_Admin/[email protected]"
        ]
      },
      "Action": "sts:AssumeRole",
      "Condition": {
        "StringEquals": {
          "sts:ExternalId": "2ffd8b2c3d8edaf02104a081af4b78d82f6e770f"
        }
      }
    }
  ]
}

I also have STS activated for all regions.

I tried for different roles and users, but I could never run a command because of this assumerole. I just need to do that to proceed with my project (a Gitlab EKS Cluster integration to install metrics server).

I'm struggling with that for days and I have tried every solution here in stack overflow.

1

There are 1 answers

0
mayconfsbrito On BEST ANSWER

I have solved it!

It was missing the externalId. In this case, for these roles, they were created with this externalId from a third-party application (Gitlab).

So I put the --external-id parameter in everything runned gracefully:

% aws sts assume-role --role-arn arn:aws:iam::123456789012:role/eksGitlabProvisionRole --external-id 2ffd4wsc3d8edaf02104a081af4b78g432f6e750f --role-session-name my_test