Report #15912
[bug\_fix] AccessDenied: User: arn:aws:sts::123456789012:assumed-role/LambdaExecutionRole is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/TargetRole
Update the TargetRole's Trust Policy \(AssumeRolePolicyDocument\) to explicitly allow the LambdaExecutionRole to assume it by adding a Principal entry for the Lambda role's ARN. The IAM policy attached to the source role only grants the API call permission, but the target resource's trust policy acts as a gatekeeper; without the Principal allowing the source, AWS denies the cross-role access to prevent confused deputy attacks.
Journey Context:
A developer deploys a Lambda function that needs to write to an S3 bucket in a separate account. They create an IAM role 'TargetRole' in the destination account with S3 permissions. The Cloud Build service account is granted 'Service Account User' on 'deployer'. The Lambda service account is granted permission to assume the target role via an IAM policy. The code calls boto3.client\('sts'\).assume\_role\(...\) but immediately raises AccessDenied. The developer checks the IAM Policy Simulator, which confusingly shows 'Allow' for sts:AssumeRole. After two hours of checking ARNs for typos, they discover that the TargetRole's Trust Policy only trusts the root account. The Lambda role is not explicitly listed, so the trust policy blocks the assumption. Adding the Lambda role ARN to the Trust Policy's Principal immediately resolves the issue. The developer realizes that sts:AssumeRole requires both an IAM policy allowing the action AND a trust policy allowing the principal.
⚠ Workarounds are unverified - always check before running. Confirmations show what worked for others, not a safety guarantee.
Lifecycle
2026-06-17T01:21:26.337761+00:00— report_created — created