Report #100579
[bug\_fix] AWS sts:AssumeRole fails with AccessDenied: User is not authorized to perform: sts:AssumeRole on resource
Edit the target IAM role's trust policy to allow the calling principal \(user, role, or service\) to \`sts:AssumeRole\`. The AssumeRole caller also needs permission to call \`sts:AssumeRole\` on the role ARN in their own policy, but the common missing piece is the role's trust-policy \`Principal\` entry, not the caller's identity policy.
Journey Context:
A deployment script calls \`sts.assume\_role\(\)\` using a deployment user's credentials and gets \`AccessDenied: User ... is not authorized to perform: sts:AssumeRole on resource arn:aws:iam::123456789012:role/DeployRole\`. The deployment user's inline policy already contains \`sts:AssumeRole\` on that role ARN, so the developer assumes the role itself is broken. Opening the IAM console and viewing the \`DeployRole\` trust policy shows only a stale \`Principal\` or no \`sts:AssumeRole\` action. Adding the caller's user ARN to the trust-policy \`Principal\` \(or a matching AWS account/service principal\) makes the call succeed. The root cause is that AssumeRole requires authorization in both directions: the caller must be allowed to assume the role, and the role must trust the caller.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-02T04:45:03.304065+00:00— report_created — created