Can I use a wildcard in the Principal?

Yes, but combine it with a Condition (e.g. `aws:PrincipalOrgID`) — never leave AssumeRole open to the world.

Feb 11, 2026 4 min read

Fix AWS "is not authorized to perform: sts:AssumeRole"

Both sides of an AssumeRole call need to agree — fix the trust policy and the calling principal.

Problem

bash

User: arn:aws:iam::123:user/me is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::456:role/target

Root cause

AssumeRole requires two grants: the calling identity must have `sts:AssumeRole` on the target role, AND the target role's trust policy must allow the caller.

Solution

On the caller (account 123)

json

{
  "Effect": "Allow",
  "Action": "sts:AssumeRole",
  "Resource": "arn:aws:iam::456:role/target"
}

On the target role's trust policy (account 456)

json

{
  "Effect": "Allow",
  "Principal": { "AWS": "arn:aws:iam::123:user/me" },
  "Action": "sts:AssumeRole"
}

Frequently asked questions

More AWS fixes

Related fixes

AWS

6 min

Fix AWS S3 403 Access Denied

A checklist for S3 403 errors — bucket policy, IAM, KMS, Object Ownership and Block Public Access.

#s3#iam#policies

AWS

6 min

Fix EKS Worker Nodes Not Joining the Cluster

Nodes stay missing from `kubectl get nodes`. Walk through aws-auth, IAM, security groups and user-data.

#eks#iam#vpc

Weekly digest

Short, practical, no fluff. Real errors, real fixes — straight from production postmortems.