Help! EC2 Instance Profile Assume Role Access Denied

0
8
Asked By CuriousCat123 On

I'm having trouble with an EC2 instance that's running a Docker container to post objects into an S3 bucket. I've set up a role with the necessary permissions and configured the trust relationship for the EC2 instance to assume that role. Here's my trust relationship policy snippet: it allows the EC2 service to assume the role.

Inside the container, I created an .aws/config file with the following content:

[profile some-name]
role_arn = arn:aws:iam::xxxxxxxxxxxxxxx:role/some-role
credential_source = Ec2InstanceMetadata
region = us-east-1

I mounted this configuration folder in my app as:
volumes:
- /root/.aws:/root/.aws

My EC2 instance is using IMDSv2 with a hop count set to 2. However, when I run "aws sts get-caller-identity" inside the container, I get this error:
"An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::xxxxxxxxxxxxxxxxx:assumed-role/some-role/i-0234230d1ce01eff is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::xxxxxxxxxxxxxxxxx:role/some-role." Any ideas on why the AssumeRole is being denied?

2 Answers

Answered By WiseOwls88 On

Also, double-check if there are any other policies applied to your role that might explicitly deny the `sts:AssumeRole` action. Any explicit deny will override the allow permissions, so it's worth looking into!

Answered By TechieGuru89 On

It seems like the issue might be with your EC2 instance role policy. Besides the trust relationship, you need an explicit policy statement in your instance role that allows the `sts:AssumeRole` action on the resource you're trying to access. Without that, even with the trust relationship set up, you'll still run into access issues.

Related Questions

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.