'iam:CreateRole: Access Denied for assumed role
I am trying to create IAM role using an assumed role. Below is my terraform snippet.
provider "aws" {
region = "us-east-1"
shared_credentials_file = "${pathexpand("~/.aws/credentials")}"
profile = "default"
assume_role {
role_arn = "arn:aws:iam::1234567890:role/Admin"
}
resource "aws_iam_role" "execution" {
name = "${var.name_prefix}-task-execution-role"
assume_role_policy = data.aws_iam_policy_document.task_assume.json
tags = var.tags
}
Where name_prefix has the value DataScientists
When applying this, I am getting the following error
Error: error creating IAM role (task-role): AccessDenied: User: arn:aws:sts::1234567890:assumed-role/Admin is not authorized to perform iam:CreateRole on resource: arn:aws:iam::1234567890:role/DataScientists-task-execution-role
status code: 403,
I have given iam:CreateRole permissions in the IAM policy that is attached to Admin role. Yet I am getting the error.
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateRole"
],
"Resource": "arn:aws:iam::1234567890:role/Data*",
"Effect": "Allow",
"Sid": "AllowCreateRoles"
}
amazon-web-servicesSolution 1:[1]
the policy you've attached is allowing to create any Data* role within 1234567890 account. The error says your role name is task-role. So your policy should allow creating that role:
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:CreateRole"
],
"Resource": "arn:aws:iam::1234567890:role/task-role",
"Effect": "Allow",
"Sid": "AllowCreateRoles"
}
}
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | iurii_n |