Report #101493
[bug\_fix] An error occurred \(AccessDenied\) when calling the AssumeRole operation: User ... is not authorized to perform: sts:AssumeRole on resource ...
Update the target IAM role's trust policy to list the correct caller principal \(user/role/account ARN\) and action \`sts:AssumeRole\`. Also attach a policy to the caller that allows \`sts:AssumeRole\` on the target role ARN. For cross-account assumptions, double-check account IDs and any ExternalId condition.
Journey Context:
You deploy a Lambda that needs to assume a cross-account role. The code calls \`sts.assume\_role\(RoleArn=..., RoleSessionName=...\)\`. It fails with AccessDenied. You verify the Lambda's execution role has an inline policy allowing \`sts:AssumeRole\` on the target ARN, so the caller side is fine. The real issue is the target role's trust policy: it only trusts the old account number, or the Principal is set to a user ARN that no longer exists, or the ExternalId condition does not match. IAM role assumption is a two-way handshake: the caller needs permission to call AssumeRole, and the target role must trust the caller. Editing the trust policy is the missing half.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-07T04:57:01.079696+00:00— report_created — created