What role/permission I need in order to assume role of child account using boto3 and python?

0
votes

So as mentioned in the title I need to assume role of one of my child accounts using boto3 and python. I am making a request from the master account and with an IAM user cause as I read a root account can not assume role, only user. So the user is created, has admin permissions and I have also created a custom policy, here is the JSON:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "*"
        }
    ]
}

But I keep getting:

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied

Btw, here is my code:

sts = boto3.client('sts')
response = sts.assume_role(
    RoleArn='arn:aws:organizations::123456789:account/Master',
    RoleSessionName='currentSession'
)

And yes, I have credentials and config set locally.

1
amazon-web-servicesboto3amazon-iam

1 Answers

0
votes

In the 'child' account, you will need:

  • An IAM Role that you wish to assume
  • A Trust Relationship on the role that permits the other account to use it
  • A policy that gives access to the resources you want the role to use

In the 'parent' account, you will need:

  • An IAM User that has sts:AssumeRole permission for, at minimum, the IAM Role in the child account

By the way, the concept of 'child' or 'master' account is not necessary. It's just one account calling AssumeRole on a role in another account.

Based on the error message you are receiving, the IAM User that you are using to call AssumeRole does not have the necessary permissions. So, either the IAM User that the program is using does not have the policy you have shown, or the IAM Role that it is attempting to assume in the other account does not have a trust relationship that permits the request from the 'child' account.

See: Creating a Role to Delegate Permissions to an IAM User - AWS Identity and Access Management