This article covers ways to resolve AWS AccessDeniedException – I Can't Assume a Role error which happens when you try to create an Auto Scaling group without the PassRole permission. In fact, To pass a role (and its permissions) to an AWS service, a user must have permissions to pass the role to the service. This helps administrators ensure that only approved users can configure a service with a role that grants permissions. To allow a user to pass a role to an AWS service, you must grant the PassRole permission to the user's IAM user, role, or group.
Cause of AWS AccessDeniedException – I Can't Assume a Role error:
There are two possible causes for this AccessDenied error: the user in your development account doesn't have permission to call sts:AssumeRole, or the trust relationship in the production account is not configured correctly.
To create a role for Amazon RDS enhanced monitoring:
- Sign in to the AWS Management Console and open the IAM console at https://console.aws.amazon.com/iam/.
- Choose Roles, and then choose Create role.
- Choose the AWS Service role type, and then choose the Amazon RDS Role for Enhanced Monitoring service. Then choose Next: Permissions.
- Choose the AmazonRDSEnhancedMonitoringRole, permissions policy.
- Choose Next: Tags.
- (Optional) Add metadata to the user by attaching tags as key-value pairs. For more information about using tags in IAM.
- Choose Next: Review.
- For Role name, type a role name that helps you identify the purpose of this role. Role names must be unique within your AWS account. They are not distinguished by case. For example, you cannot create roles named both PRODROLE and prodrole. Because various entities might reference the role, you cannot edit the name of the role after it has been created.
- (Optional) For Role description, type a description for the new role.
- Review the role and then choose Create role.