Assume cross account roles in AWS

I have 2 AWS accounts:
Account A: Running an EC2 with R Studio. The EC2 IAM Role can assume Role "bbbbbb-role" in Account B
Account B: Has Role "bbbbbb-role". The EC2 role in account A is allowed to assume this role. This Role can access the S3 bucket "MyS3Bucket" which is what I'm wanting access to.

Using AWS CLI from the Account A EC2 I can assume the Account B role fine:
aws sts assume-role --role-arn "arn:aws:iam::BBBBBBBB:role/bbbbbb-role" --role-session-name "MySession" --duration-seconds 3600 --output json

I want to do the same from within R. The EC2 in account A has R installed.

iam_info <- aws.signature::locate_credentials()
b_role <- aws.iam::assume_role(role = 'arn:aws:iam::BBBBBBBB:role/bbbbbb-role', session = 'MySession', use = TRUE)

The above gives error:
In stsHTTP(query = query, ...) : Forbidden (HTTP 403)

b_role =
Code : chr "SignatureDoesNotMatch"
Message: chr "Credential should be scoped to a valid region, not 'us-west-2'. "

I can't see any CloudTrail permission errors for the EC2 Role, so I'm thinking that R is not picking up the EC2 Role correctly.

Has anyone done this before, from a role in a source account, assumed a role in another account?


This topic was automatically closed 21 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.