Troubleshooting AWS Sync Failure

User: arn:aws:sts::087210011007:assumed-role/zilla_prod_ecs_task_role/3bc1935d14b442f39ffda0fc9c90eb80 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<accountID>:role/Zilla-IAM-Reader-Role

Root Cause:

  1. Zilla-IAM-Reader-Role may not exist in the Customer’s AWS Account <accountID> mentioned in the Zilla-IAM-Reader-Role ARN.

  2. In the Customer’s AWS Account <accountID>, Zill-IAM-Reader-Role’s Trust Relationship may not have Zilla’s aws account 087210011007.

  3. In the Customer’s AWS Account <accountID>, Zill-IAM-Reader-Role’s Trust Relationship may not have ExternalId as their domain name in the Trust relation document of Zilla’s aws account 087210011007.

 

Solution:

Login into Customer’s AWS account <accountID>. Go to IAM Console and check Zilla-IAM-Reader-Role is present. If not present follow these steps to create the role - AWS - Create an IAM Role for IAM Users, Groups, Roles and Resources .

If Role is present, Check the Trust relationship document of this Role. It should be as below -

The Principal should be arn:aws:iam::087210011007:root which is Zill’a AWS account. And ExternalId should be customer’s domain name example.com .