Report #103799
[bug\_fix] AWS AssumeRole fails with "User is not authorized to perform: sts:AssumeRole on resource"
Add the caller's identity \(user/role ARN\) to the target role's trust policy under \`Principal\` and ensure the action \`sts:AssumeRole\` is allowed. The requesting identity must also have permission to call \`sts:AssumeRole\` in its own IAM policy, but the most commonly missed piece is the trust-policy \`Principal\` entry on the role being assumed.
Journey Context:
A developer creates a new IAM role \`ProdDeployRole\` with broad permissions and tries to assume it from their developer user \`arn:aws:iam::123456789012:user/alice\`. They have attached an IAM policy to Alice that allows \`sts:AssumeRole\` on \`arn:aws:iam::123456789012:role/ProdDeployRole\`, yet \`aws sts assume-role\` returns \`AccessDenied: User is not authorized to perform: sts:AssumeRole on resource\`. They spend time checking Alice's permissions and even attach \`sts:\*\`, but the error persists. Eventually they inspect the role's trust policy and see it only trusts \`ec2.amazonaws.com\` \(the default service principal\). Once they update the trust policy to include \`"AWS": "arn:aws:iam::123456789012:user/alice"\` under \`Principal\`, the assume-role call succeeds. They realize that permission policies control \*who can ask\*, but trust policies control \*who is allowed in\*.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-07-13T04:43:33.506403+00:00— report_created — created