Troubleshooting AWS Sync Failure
User: arn:aws:sts::087210011007:assumed-role/zilla_prod_ecs_task_role/3bc1935d14b442f39ffda0fc9c90eb80 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::<accountID>:role/Zilla-IAM-Reader-Role
Root Cause:
Zilla-IAM-Reader-Role may not exist in the Customer’s AWS Account <accountID> mentioned in the Zilla-IAM-Reader-Role ARN.
In the Customer’s AWS Account <accountID>, Zill-IAM-Reader-Role’s Trust Relationship may not have Zilla’s aws account 087210011007.
In the Customer’s AWS Account <accountID>, Zill-IAM-Reader-Role’s Trust Relationship may not have ExternalId as their domain name in the Trust relation document of Zilla’s aws account 087210011007.
Solution:
Login into Customer’s AWS account <accountID>. Go to IAM Console and check Zilla-IAM-Reader-Role is present. If not present follow these steps to create the role - AWS - Create an IAM Role for IAM Users, Groups, Roles and Resources .
If Role is present, Check the Trust relationship document of this Role. It should be as below -
The Principal should be arn:aws:iam::087210011007:root
which is Zill’a AWS account. And ExternalId should be customer’s domain name example.com
.