Access denied when assuming role as IAM user via boto3

Question

Issue

I have an IAM user, and an IAM role. I am trying to configure the IAM user to have permission to assume the IAM role using STS. I am not sure why I receive an "Access Denied" error.

Details

IAM role: arn:aws:iam::123456789:role/athena_access

IAM user: arn:aws:iam::123456789:user/athena-external-user

IAM user policy to allow assume role:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "StsAssumeRole",
            "Effect": "Allow",
            "Action": "sts:*",
            "Resource": "arn:aws:iam::123456789:role/athena_access"
        }
    ]
}

Code:

import boto3
os.environ['AWS_ACCESS_KEY_ID'] = '...'
os.environ['AWS_SECRET_ACCESS_KEY'] = '...'

client = boto3.client('sts')
role_to_assume_arn='arn:aws:iam::123456789:role/athena_access'
role_session_name='test_session'
response=client.assume_role(
    RoleArn=role_to_assume_arn,
    RoleSessionName=role_session_name
)

Error:

botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:iam::123456789:user/athena-external-user is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789:role/athena_access

James Wierzba James Wierzba · Accepted Answer · 2019-10-29T22:23:17

Of course, I found the solution shortly after posting the question.

The IAM role needs to have a TrustRelationship policy for the user that will assume the role.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com",
        "AWS": "arn:aws:iam::123456789:user/athena-external-user"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}

Access denied when assuming role as IAM user via boto3

1 Answers