- April 13, 2018
- Posted by: Michael
- Category: AWS
If you’re adhering to best practices when using AWS IAM and working with roles when doing a task in another AWS account then you will have probably used the assume-role functionality.
While setting up my AWS CLI to work on an external AWS account I encountered an issue with the external role ARN.
When configuring the AWS CLI to assume a role, you can’t use the account alias but have to use the account ID in the role ARN.
Initially my ~/.aws/config looked like this
[profile other-account] output = json region = eu-central-1 role_arn = arn:aws:iam::MyOtherAccount:role/RoleToAssume source_profile = sinax-michaelanckaert mfa_serial = arn:aws:iam::123456789012:mfa/MichaelAnckaert
Which I assumed would work, I kept however getting AccessDenied errors despite having the correct policies applied.
As it turns out the Account Alias doesn’t work in the CLI config (or the role ARN) and you need the specify the account number:
role_arn = arn:aws:iam::234567890123:role/RoleToAssume
This didn’t strike me as obvious but well, lesson learned!
On the bright side: now I no longer have to ask for an access and secret key from the other AWS account and we can do things the right way 😉