Troubleshooting 'Not Authorized to Perform sts:AssumeRole': A Quick-Fix Guide to Your AWS Woes

Troubleshooting 'Not Authorized to Perform sts:AssumeRole': A Quick-Fix Guide to Your AWS Woes

·

7 min read

The scalability, flexibility, and pricing models of AWS services make AWS the leading cloud service provider. From machine learning to container technology and Identity and Access Management (IAM), AWS is tapping into every possible market.

Nearly 95% of organizations have an IAM solution; most medium-sized to large corporations use multiple IAM solutions. But even with all these capabilities, developers can face frustrating errors when configuring IAM with their applications.

One highly disruptive error message is "Not Authorized to Perform sts:AssumeRole." This error indicates an issue within your IAM permissions, and the debugging can take forever if you don't know the root cause.

What is AWS AssumeRole?

AssumeRole is a feature within IAM that allows users to obtain temporary security credentials to access AWS resources. These temporary credentials follow the principle of least privilege - a crucial part of Identity Governance - and can be scoped to allow access only to specific resources or actions.

This fine-grained control ensures that users have the necessary permissions for their tasks without granting excessive access. It also helps your organization comply with critical regulations that require an overview of your IAM strategy, such as PCI, GDPR, and HIPAA.

AssumeRole serves various purposes:

  • It facilitates secure access between AWS accounts, allowing one AWS account to delegate limited access to its resources to another account.

  • AWS services utilize AssumeRole to gain secure access to other AWS resources. For example, AWS Lambda can assume roles to access specific S3 buckets, minimizing the need for hard-coded credentials.

  • It grants temporary IAM access for developers who require short-term access to AWS resources.

How AssumeRole works

AWS AssumeRole requires an IAM role with defined permissions and trusted entities. When users need temporary access to AWS resources, they request to assume the role using the role's Amazon Resource Name (ARN). AWS evaluates the trust policy to determine if the request is authorized and generates temporary security credentials, including an Access Key ID, Secret Access Key, and a Session Token. These credentials grant temporary access to AWS resources based on the permissions specified in the role's policy.

Understanding the sts:AssumeRole Error

AWS Security Token Service (STS) plays a crucial role in AWS security by issuing temporary security credentials. sts:AssumeRole is the operation that requests these temporary credentials when a user or entity needs access to AWS resources through an IAM role.

The sts:AssumeRole error indicates a failure to assume a specific IAM role due to a problem with the permissions, trust relationships, or policies related to the role assumption process. The leading causes for sts:AssumeRole errors are:

  • Insufficient permissions: Entity attempting to assume the role lacks the necessary rights

  • Misconfigured policies: Restricts access more than intended or may not include the required permissions.

  • Incorrect trust relationships: Role's trust policy may not allow the entity to assume the role.

How to troubleshoot 'Not Authorized to Perform sts:AssumeRole'

Troubleshooting sts:AssumeRole error typically involves reviewing and adjusting IAM policies, permissions, and trust relationships. Although it sounds simple, it can be a time-consuming process. So, this comprehensive tutorial will walk you through the debugging process with detailed steps, code snippets, and best practices for a more efficient approach.

Step 1 - Identifying the root cause

First, you need to carefully read the complete error message to understand the meaning of this specific error message. For example, consider the below error:

"User: arn:aws:iam::123456789012:user/username is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/role-name"

This message indicates that the user is attempting to perform the sts:AssumeRole operation but is not authorized to do so on the specified IAM role.

You can also use AWS CloudTrail logs to get additional information about the sts:AssumeRole operation. A CloudTrail log includes the event name, source, request parameters, and identity details. You can use this information to identify the exact API call, role, and entity that triggered the error.

{

"eventVersion": "1.07",

"userIdentity": {

"type": "IAMUser",

"principalId": "EXAMPLE",

"arn": "arn:aws:iam::123456789012:user/username",

"accountId": "123456789012",

"accessKeyId": "AKIA1234567890EXAMPLE",

"userName": "username"

},

"eventTime": "2023-01-01T00:00:00Z",

"eventSource": "sts.amazonaws.com",

"eventName": "AssumeRole",

"awsRegion": "us-east-1",

"sourceIPAddress": "203.0.113.1",

"userAgent": "AWS CLI",

"requestParameters": {

"roleArn": "arn:aws:iam::123456789012:role/role-name",

"roleSessionName": "session-123"

},

....

}

Step 2 - Reviewing policies and permissions

Then, you must scrutinize the policies and permissions of the IAM role and entity involved in the error. You must ensure these policies are correctly configured to allow the sts:AssumeRole operation. For example, let's consider this error message.

"User: arn:aws:iam::123456789012:user/username is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/role-name"

When debugging, first, you need to find the IAM mentioned in the error message. In this case, that is role-name. Then, open the policies attached to the role-name IAM role. These policies specify what actions are allowed or denied for this role. If there are no issues with the role policy, check the policies associated with username and grant permission for the sts:AssumeRole action on the role-name.

Here are some common problems you need to check in policy configurations:

  • Typos: Ensure that action names, resource ARNs, and conditions in the policy are spelled correctly.

  • Incorrect Action Names: Verify that the policy specifies the correct action names, such as "sts:AssumeRole."

  • Incorrect Resource ARNs: Ensure the policy references the correct AWS resources.

However, manually reviewing and understanding IAM policies will get increasingly challenging as application requirements grow. Automation tools like Slauth can significantly simplify the IAM policy creation and management process and reduce your attack surface.

Aside from generating IAM policies for your specific needs automatically and enforcing security while reducing operational overhead, Slauth continuously monitors the activity of your machine identities. This continuous monitoring capability means you can spot access gaps, react timely, and update your policies as you go. Slauth also configures IAM roles based on analyzed permissions, tailoring them to suit infrastructure requirements.

Step 3 - Resolving the Error

Resolving the "Not Authorized to Perform sts:AssumeRole" error may involve several steps, depending on the root cause. Here are some actions you can take to resolve this error:

Updating IAM Role Policies

If the mistake is due to insufficient permissions in the IAM role policies, update the policies to allow the sts:AssumeRole action. A correct IAM role policy for role-name with sts:AssumeRole privileges will look like the below:

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "sts:AssumeRole",

"Resource": "arn:aws:iam::123456789012:role/role-name"

}

]

}

Correcting Policy Misconfigurations

Suppose you have provided sufficient permissions, and the error still exists. Check for policy misconfigurations like typos, wrong ARNs, and action names. For example, the below policy has an unnoticeable typo in the action name.

{

"Version": "2012-10-17",

"Statement": [

{

"Effect": "Allow",

"Action": "sts:AsumeRole", // Action Name

"Resource": "arn:aws:iam::123456789012:role/role-name" // ARN

}

]

}

Adjusting Trust Relationships

Trust relationships define who or what is allowed to assume a specific role and under what conditions. If the issue is related to trust relationships, you need to consider the following when adjusting the trust policy:

  1. Include new entities that need to assume the role. For example, if you have a new IAM user who needs to take the role, you must add that user to the trust policy.

"Principal": {

"AWS": "arn:aws:iam::123456789012:user/new-user"

}

  1. Update existing conditions. For example, if you initially specified that the entity could assume the role only during specific hours, you might need to adjust the time conditions.

"Condition": {

"DateGreaterThan": {

"aws:CurrentTime": "2023-01-01T08:00:00Z"

},

"DateLessThan": {

"aws:CurrentTime": "2023-01-01T18:00:00Z"

}

}

Step 4 - Preventing future AWS sts:AssumeRole errors

As we all know, prevention is better than mitigation (and much less stressful for your engineering team). If you can follow best practices when working with AWS IAM, you can easily prevent such errors and save time and effort. Here are some steps you can take to avoid mistakes in AWS IAM management:

  • Implement continuous monitoring and auditing of your IAM roles and policies using services like CloudTrail.

  • Maintain comprehensive documentation for IAM roles.

  • Establish clear and consistent naming conventions for IAM roles.

  • Adhere to the principle of least privilege.

  • Use IAM role versioning.

  • Use IAM automation tools like Slauth to base IAM policies on actual activity, enhancing security and minimizing the risk associated with long-term credential exposure.

Streamlining AWS IAM with Slauth

The "Not Authorized to Perform sts:AssumeRole" error is an annoying error developers often face when working with AWS IAM. Understanding its root causes and how to troubleshoot it will hopefully save you some of the frustration, but the problems don't end here.
You can prevent this and similar errors when working on AWS IAM if you pay more attention to your policies, how they are structured, and the levels of access they provide. Slauth’s IAM Policy Copilot automatically generates IAM policies for machine identities based on real-time API calls from end-to-end tests to AWS before production. This means you can have more accurate and secure policies from the get-go without wasting engineering time.

Explore Slauth here and make IAM more manageable for your team.