AWS IAM - AssumeRole within same account?
Solution 1:
You don’t need TrustRelation when assuming role from the same account. Delete it and it should work.
By the way do not use access and secret keys on EC2 instances. Instead use EC2 Instance Role that will give the required perms to your Splunk process.
Also there is probably no need to assume another role from the EC2 Instance Role - simply give that role the required policy / permissions.
Hope that helps :)
Solution 2:
To clarify some information in the other answers regarding assumption of roles across accounts:
- For assuming a role in a different account, you need both an IAM Policy in the from account allowing
sts:AssumeRoleon the destination role AND a Trust Policy on the destination role trusting the "source account" (the "root" user) - For assuming a role in the same account, you can either do the same thing as the cross-account situation, OR simply add the from role to the Trust Policy of the to role
From the AWS Documentation:
A user who wants to access a role in a different account must also have permissions that are delegated from the user account administrator. The administrator must attach a policy that allows the user to call AssumeRole for the ARN of the role in the other account. If the user is in the same account as the role, then you can do either of the following:
- Attach a policy to the user (identical to the previous user in a different account).
- Add the user as a principal directly in the role's trust policy.
In this case, the trust policy acts as an IAM resource-based policy. Users in the same account as the role do not need explicit permission to assume the role. For more information about trust policies and resource-based policies, see IAM Policies in the IAM User Guide.
Of course, once you have created a role that you are capable of assuming, you need to actually "Assume" that role. Assuming a role gives you a set of "temporary" credentials, which you can then use to perform actions with the new set of permissions.