I am setting up AWS cli on Windows 10 configuration using credentials and config files. In the config file I define a config_profile and in it use source_profile to link it with the profile defined in credentials.
When I run aws configure list --profile config_profile I am getting:
An error occurred (AccessDenied) when calling the AssumeRole operation: Access denied
Have you granted permission for the switch to take place? Check out https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_permissions-to-switch.html.
When you create a role for cross-account access, you establish trust from the account that owns the role and the resources (trusting account) to the account that contains the users (trusted account). To do this, you specify the trusted account number as the Principal in the role's trust policy. That allows potentially any user in the trusted account to assume the role. To complete the configuration, the administrator of the trusted account must give specific groups or users in that account permission to switch to the role.
To grant a user permission to switch to a role, you create a new policy for the user or edit an existing policy to add the required elements.
A policy that grants a user permission to assume a role must include a statement with the Allow effect on the following:
The sts:AssumeRole action The Amazon Resource Name (ARN) of the role in a Resource element
For example:
{
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::ACCOUNT-ID-WITHOUT-HYPHENS:role/Test*"
}
}
Also see
