The error message “assumerole policy may only specify sts assumerole actions” is related to the IAM (Identity and Access Management) service in AWS. This error occurs when an assume role policy document for an IAM role specifies actions that are not related to the STS (Security Token Service) AssumeRole API.
The assume role policy document is a JSON-based policy that defines who can assume the role and what actions they can perform. It is associated with an IAM role and acts as a trust policy, determining which entities can assume the role and under what conditions.
The error typically occurs when the actions specified in the assume role policy document do not match the allowed actions for the AssumeRole API.
Here is an example of a valid assume role policy document that only specifies STS AssumeRole actions:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::123456789012:root"
},
"Action": "sts:AssumeRole"
}
]
}
In this example, the assume role policy document allows the AWS account with the ARN “arn:aws:iam::123456789012:root” to assume the role and specifies the “sts:AssumeRole” action.
To fix the error, ensure that the assume role policy document only specifies STS AssumeRole actions, such as “sts:AssumeRole” or “sts:AssumeRoleWithSAML”. Remove any other actions that are not related to role assumption.