STS:AssumeRole Error after deployment

[KWS-Blackout]

Running into the following error after deploying cloudformation for password rotation.

6858314d-cee5-4cf8-abfd-392603586515 Check that AccountID: [AccountID] has the correct IAM Role deployed to it via the CloudFormation Stack Template. Raw Error: An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::AccountID:assumed-role/asa-iam-key-rotation-account-inventory-lambda-execution-role/ASA-Account-Inventory is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::AccountID:role/asa-iam-key-rotation-list-accounts-role

policy has assume role for specified role in error.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "lambda:InvokeFunction",
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::AccountID:role/asa-iam-key-rotation-list-accounts-role"
}
]
}

[Pheels]

I also ran into this issue - in order to fix you need to add the following permission to asa-iam-key-rotation-lambda-execution-role in your main deployment account:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "PermissionToAssumeRoles",
            "Effect": "Allow",
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws:iam::${AccountA}:role/asa-iam-key-rotation-lambda-assumed-role",
                "arn:aws:iam::${AccountB}:role/asa-iam-key-rotation-lambda-assumed-role"
            ]
        }
    ]
}

[denn0muk]

A poorly documented solution from AWS. Have to figure out stuff to get it working

[botscholar-scott]

I'm running into this same error but for the main deployment account (just doing manual tests at this point). I added our account id to this new policy @Pheels pasted above that we attached to the asa-iam-key-rotation-lambda-execution-role to no avail.

[botscholar-scott]

But in our case we don't have the asa-iam-key-rotation-lambda-assumed-role that we are trying to assume on the main deployment account so perhaps there's an earlier step that doesn't make this role on the main account?

[botscholar-scott]

I missed the third bullet of 6.1,
"If deployed via organizations, the root org account will not be included."

[DNascimento99]

Has anyone managed to fix this problem?

[nicocayetano]

In our experience, the issue is not the IAM permission but the lambda function is performing an assume role on an invalid role arn: "arn:aws:iam:::role/asa-iam-key-rotation-list-accounts-role"
error message:
An error occurred (AccessDenied) when calling the AssumeRole operation: User: arn:aws:sts::AccountID:assumed-role/asa-iam-key-rotation-account-inventory-lambda-execution-role/ASA-Account-Inventory is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:::role/asa-iam-key-rotation-list-accounts-role

It is missing the Account ID hence it is failing. I added aws_account_id='<deployment_account_id>' and the AssumeRole request on the role went through and it started to assume other roles from other accounts. however still having issues with the other functions