Introduction IAM role assumption failures (AccessDenied when calling AssumeRole) block cross-account access, CI/CD pipelines, and service-to-service authentication. The error message is generic, making it difficult to identify whether the issue is with the trust policy, IAM permissions, SCPs, or MFA requirements.
Symptoms - `aws sts assume-role` returns: `An error occurred (AccessDenied) when calling the AssumeRole operation` - Cross-account deployments fail at authentication step - ECS task role not assumed by containers - CodePipeline stuck at deployment stage with access errors
Common Causes - Trust policy does not include the calling principal - Calling principal lacks sts:AssumeRole permission - Organization SCP explicitly denies sts:AssumeRole - MFA required by role but not provided - External ID mismatch for third-party access
Step-by-Step Fix 1. **Check the role trust policy**: ```bash aws iam get-role --role-name MyRole --query 'Role.AssumeRolePolicyDocument' ``` Verify the Principal matches your user/role ARN.
- 1.Verify calling principal has sts:AssumeRole:
- 2.```bash
- 3.aws iam list-attached-user-policies --user-name my-user
- 4.aws iam get-policy-version --policy-arn <arn> --version-id v1
- 5.
` - 6.Check for SCP restrictions:
- 7.```bash
- 8.aws organizations list-policies --filter SERVICE_CONTROL_POLICY
- 9.aws organizations list-targets-for-policy --policy-id <scp-id>
- 10.
` - 11.Look for SCPs that deny sts:AssumeRole.
- 12.Assume role with MFA if required:
- 13.```bash
- 14.aws sts assume-role \
- 15.--role-arn arn:aws:iam::<account>:role/MyRole \
- 16.--role-session-name my-session \
- 17.--serial-number arn:aws:iam::<account>:mfa/my-user \
- 18.--token-code 123456
- 19.
`