AWS Powershell commands fail with AssumeRole error

[rpatrick00]

Since my company uses subaccounts, I have set up the required profiles and credentials in my %USERPROFILE%\.aws directory. These are working fine with the aws cli commands:

    C:\>aws ec2 describe-instances --profile ody-gov-engineer
    {
        "Reservations": []
    }

    C:\>

Unfortunately, the PowerShell commands are failing with an error:

    PS C:\> Get-AWSCredential -ListProfileDetail

    ProfileName      StoreTypeName         ProfileLocation
    -----------      -------------         ---------------
    default          SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
    govcloud         SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
    ody-gov-engineer SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials

    PS C:\> Set-AWSCredential -ProfileName ody-gov-engineer
    PS C:\> Get-EC2Instance
    Get-EC2Instance : Error calling AssumeRole for role arn:aws-us-gov:iam::############:role/Sandbox_Administrator
    At line:1 char:1
    + Get-EC2Instance
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Instance], InvalidOperationException
        + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

    PS C:\>

Surely I am just doing something wrong...Any idea on how to make this work properly?

[ashishdhingra]

Hi @rpatrick00,

Good afternoon.

At first glance this appears to be an IAM policy issue.

Could you please try using -ProfileName argument to see if it works. For example,

Get-EC2Instance -ProfileName ode-gov-engineer

Also try checking the information provided at Troubleshooting IAM Assume Role Errors and see if setting up the Trust policy helps.

Thanks,
Ashish

[rpatrick00]

Will do. If it wasn’t clear, please note that the same credentials/profile works fine with the AWS CLI on the same machine/user so I am somewhat skeptical this has anything to do with the policy.

[rpatrick00]

Hi @ashishdhingra,

So I read the troubleshooting article and am convinced that the policy is correct. When I log into the AWS Console and Switch Roles into the role, it works. As I showed before, the python-based AWS CLI is also working. Just for reference, the policy associated with my IAM user in the master account is:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "sts:AssumeRole",
            "Resource": [
                "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"
            ],
            "Effect": "Allow",
            "Sid": "OdysseyDev"
        }
    ]
}

My ~\.aws\config file looks like this:

[default]
region = us-east-1

[govcloud]
region = us-gov-west-1

[profile ody-gov-engineer]
role_arn = arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
source_profile = govcloud
region = us-gov-west-1

and my ~\.aws\credentials file looks like this:

[default]
aws_access_key_id = <redacted>
aws_secret_access_key = <redacted>

[govcloud]
aws_access_key_id = <redacted>
aws_secret_access_key = <redacted>

I created an EC2 instance with the console just to show that the AWS CLI is working and the AWS Powershell API is not. Adding the -ProfileName to Get-EC2Instance did not change the error.

PS C:\> aws ec2 describe-instances --profile ody-gov-engineer
{
    "Reservations": [
        {
            "Groups": [],
            "Instances": [
                {
                    "AmiLaunchIndex": 0,
                    "ImageId": "ami-5f58733e",
                    "InstanceId": "i-064ee401d59a5c936",
                    "InstanceType": "t3a.large",
                    "KeyName": "snaplex-devops-key",
                    "LaunchTime": "2020-08-05T17:27:03+00:00",
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "Placement": {
                        "AvailabilityZone": "us-gov-west-1a",
                        "GroupName": "",
                        "Tenancy": "default"
                    },
                    "PrivateDnsName": "ip-172-31-38-85.us-gov-west-1.compute.internal",
                    "PrivateIpAddress": "172.31.38.85",
                    "ProductCodes": [
                        {
                            "ProductCodeId": "39xl0mwguh2jvvy43omu43m66",
                            "ProductCodeType": "marketplace"
                        }
                    ],
                    "PublicDnsName": "ec2-###-###-###-###.us-gov-west-1.compute.amazonaws.com",
                    "PublicIpAddress": "###.###.###.###",
                    "State": {
                        "Code": 16,
                        "Name": "running"
                    },
                    "StateTransitionReason": "",
                    "SubnetId": "subnet-344f8e7d",
                    "VpcId": "vpc-2730d740",
                    "Architecture": "x86_64",
                    "BlockDeviceMappings": [
                        {
                            "DeviceName": "/dev/xvda",
                            "Ebs": {
                                "AttachTime": "2020-08-05T17:27:04+00:00",
                                "DeleteOnTermination": true,
                                "Status": "attached",
                                "VolumeId": "vol-0fa5dbc2ed2cfd63e"
                            }
                        }
                    ],
                    "ClientToken": "##################",
                    "EbsOptimized": true,
                    "EnaSupport": true,
                    "Hypervisor": "xen",
                    "NetworkInterfaces": [
                        {
                            "Association": {
                                "IpOwnerId": "amazon",
                                "PublicDnsName": "ec2-###-###-###-###.us-gov-west-1.compute.amazonaws.com",
                                "PublicIp": "###.###.###.###"
                            },
                            "Attachment": {
                                "AttachTime": "2020-08-05T17:27:03+00:00",
                                "AttachmentId": "eni-attach-0f358c95713644f71",
                                "DeleteOnTermination": true,
                                "DeviceIndex": 0,
                                "Status": "attached"
                            },
                            "Description": "Primary network interface",
                            "Groups": [
                                {
                                    "GroupName": "snaplex-security-group",
                                    "GroupId": "sg-0ca05c3e52f022675"
                                }
                            ],
                            "Ipv6Addresses": [],
                            "MacAddress": "06:8e:1c:05:fb:38",
                            "NetworkInterfaceId": "eni-0eaa0e71b19e7271f",
                            "OwnerId": "############",
                            "PrivateDnsName": "ip-172-31-38-85.us-gov-west-1.compute.internal",
                            "PrivateIpAddress": "172.31.38.85",
                            "PrivateIpAddresses": [
                                {
                                    "Association": {
                                        "IpOwnerId": "amazon",
                                        "PublicDnsName": "ec2-###-###-###-###.us-gov-west-1.compute.amazonaws.com",
                                        "PublicIp": "###.###.###.###"
                                    },
                                    "Primary": true,
                                    "PrivateDnsName": "ip-172-31-38-85.us-gov-west-1.compute.internal",
                                    "PrivateIpAddress": "172.31.38.85"
                                }
                            ],
                            "SourceDestCheck": true,
                            "Status": "in-use",
                            "SubnetId": "subnet-344f8e7d",
                            "VpcId": "vpc-2730d740",
                            "InterfaceType": "interface"
                        }
                    ],
                    "RootDeviceName": "/dev/xvda",
                    "RootDeviceType": "ebs",
                    "SecurityGroups": [
                        {
                            "GroupName": "snaplex-security-group",
                            "GroupId": "sg-0ca05c3e52f022675"
                        }
                    ],
                    "SourceDestCheck": true,
                    "Tags": [
                        {
                            "Key": "Name",
                            "Value": "Snaplex1"
                        }
                    ],
                    "VirtualizationType": "hvm",
                    "CpuOptions": {
                        "CoreCount": 1,
                        "ThreadsPerCore": 2
                    },
                    "CapacityReservationSpecification": {
                        "CapacityReservationPreference": "open"
                    },
                    "HibernationOptions": {
                        "Configured": false
                    },
                    "MetadataOptions": {
                        "State": "applied",
                        "HttpTokens": "optional",
                        "HttpPutResponseHopLimit": 1,
                        "HttpEndpoint": "enabled"
                    }
                }
            ],
            "OwnerId": "XXXXXXXXXXXX",
            "ReservationId": "r-054f74e1e9a6d9adc"
        }
    ]
}

PS C:\> Get-AWSCredential -ListProfileDetail

ProfileName      StoreTypeName         ProfileLocation
-----------      -------------         ---------------
default          SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
govcloud         SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials
ody-gov-engineer SharedCredentialsFile C:\Users\robert.h.patrick\.aws\credentials


PS C:\> Set-AWSCredential -ProfileName ody-gov-engineer
PS C:\> get-EC2Instance -ProfileName ody-gov-engineer
get-EC2Instance : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ get-EC2Instance -ProfileName ody-gov-engineer
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Insta
   nce], InvalidOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

PS C:\>

Other Powershell commands are failing with the same AssumeRole error while all AWS CLI commands are working in the same Powershell session.

[rpatrick00]

@ashishdhingra

In experimenting with the Use-STSRole cmdlet using the profile, I cannot point at the ody-gov-cloud profile and get it to work. I get the same AssumeRole error.

PS C:\> Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDev"                                         Use-STSRole : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], In
   validOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet

PS C:\> Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDev" -Region us-gov-west-1
Use-STSRole : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], In
   validOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet

PS C:\> Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"
Use-STSRole : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Use-STSRole -ProfileName ody-gov-engineer -RoleSessionName "OdysseyDe ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...seSTSRoleCmdlet:UseSTSRoleCmdlet) [Use-STSRole], In
   validOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.STS.UseSTSRoleCmdlet

PS C:\>

However, as soon as I point at the profile with only my credentials and pass the RoleArn and Region using command-line arguments, it seems to be happy.

PS C:\> Use-STSRole -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"

AssumedRoleUser                            Credentials                            PackedPolicySize
---------------                            -----------                            ----------------
Amazon.SecurityToken.Model.AssumedRoleUser Amazon.SecurityToken.Model.Credentials 0


PS C:\>

Unfortunately, when I try to use the credentials, requests to AWS are still failing:

PS C:\> Use-STSRole -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator"

AssumedRoleUser                            Credentials                            PackedPolicySize
---------------                            -----------                            ----------------
Amazon.SecurityToken.Model.AssumedRoleUser Amazon.SecurityToken.Model.Credentials 0


PS C:\> Get-EC2Instance
Get-EC2Instance : Error calling AssumeRole for role arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator
At line:1 char:1
+ Get-EC2Instance
+ ~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Insta
   nce], InvalidOperationException
    + FullyQualifiedErrorId : Amazon.Runtime.AmazonClientException,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

PS C:\> Get-EC2Instance -Credential (Use-STSRole  -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator")
Get-EC2Instance : Cannot bind parameter 'Credential'. Cannot convert the
"Amazon.SecurityToken.Model.AssumeRoleResponse" value of type "Amazon.SecurityToken.Model.AssumeRoleResponse" to type
"Amazon.Runtime.AWSCredentials".
At line:1 char:29
+ ... -Credential (Use-STSRole  -ProfileName govcloud -RoleSessionName "Ody ...
+                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Get-EC2Instance], ParameterBindingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

PS C:\> Get-EC2Instance -Credential (Use-STSRole  -ProfileName govcloud -RoleSessionName "OdysseyDev" -Region us-gov-west-1 -RoleArn "arn:aws-us-gov:iam::XXXXXXXXXXXX:role/Sandbox_Administrator").Credentials
Get-EC2Instance : AWS was not able to validate the provided access credentials
At line:1 char:1
+ Get-EC2Instance -Credential (Use-STSRole  -ProfileName govcloud -Role ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Amazon.PowerShe...2InstanceCmdlet:GetEC2InstanceCmdlet) [Get-EC2Insta
   nce], InvalidOperationException
    + FullyQualifiedErrorId : Amazon.EC2.AmazonEC2Exception,Amazon.PowerShell.Cmdlets.EC2.GetEC2InstanceCmdlet

PS C:\>

Hopefully this helps to narrow down where the problem might be.

[ashishdhingra]

Hi @rpatrick00,

Thanks for the detailed information. I have marked this as a bug (label). I will coordinate with developer to have a look at it and advise if something is missing, and keep you posted on the updates.

Thanks,
Ashish

[github-actions]

We have noticed this issue has not recieved attention in 1 year. We will close this issue for now. If you think this is in error, please feel free to comment and reopen the issue.