What's wrong with the trust policy on my aws role that it can't be assumed cross-accounts?-CodePudding

My lambda, named 'configure-idp' runs as role 'configure-saml-providerA' in account AAAAAAAAAAAA. I need to assume role 'configure-saml-providerB' in account BBBBBBBBBBBB which has permissions to configure the ipd for account BBBBBBBBBBBB. The trust on 'configure-saml-providerB' looks like:

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:sts::AAAAAAAAAAAA:assumed-role/configure-saml-providerA/configure-idp"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

And yet, when my lambda attempts to run the assume_role command (see below), I get:

An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::AAAAAAAAAAAA:assumed-role/configure-saml-providerA/configure-idp is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::BBBBBBBBBBBB:role/configure-saml-provider

The assume_role code mentioned above is:

client = boto3.client('sts')
        assumed_role_object = client.assume_role(
            RoleArn = f"arn:aws:iam::BBBBBBBBBBBB:role/configure-saml-providerB",
            RoleSessionName = "LambdaSetIDPSession"
        )

I've also tried changing the principal ARN in the trust to look like this:

arn:aws:sts::AAAAAAAAAAAA:role/configure-saml-providerA

But get the same error.

Why am I not able to assume role arn:aws:iam::BBBBBBBBBBBB:role/configure-saml-providerB when the trust on that role is set to allow me to do so?

CodePudding user response：

Consider the following

https://aws.amazon.com/es/premiumsupport/knowledge-center/iam-assume-role-error/

Maybe you're part of an aws organization and there's an SCP that's restraining you to assume role?

CodePudding user response：

The problem is that I used the account alias instead of the account id in the ARN when trying to assume role. You wouldn't see that in the post bc I obfuscated the sensitive information.