Skip to main content
Question

AWS Cross-Account Data Collection - "failed to AssumeRole"

  • March 11, 2025
  • 11 replies
  • 5 views
W

Hi Experts,
I'm setting up AWS Cross-Account Data Collection by following the reference links. However, it prompted me with the error of "failed to AssumeRole".
I have double-checked the settings as well as the policies needed, but I still have no idea what is the cause of this error. can help to have a look at it and possibly let me know where the part I miss off?
Reference links:  https://docs.cribl.io/stream/usecase-aws-x-account/

425_9caef55b13bd4eb28ae338e0e15d1ae0.png

    11 replies

    O
    • Oliver Hoppe
    • Employee
    • March 11, 2025

    Have you provided credentials in the configuration tab or left it to Auto? If you left it with auto you need to either configure the AWS CLI authentication on each of your workers or add the workers ARN to a role that is trusted to assume the role of your secondary account to have the right permissions.

    O
    • Oliver Hoppe
    • Employee
    • March 11, 2025

    Here is a good example:  https://repost.aws/knowledge-center/iam-assume-role-cli

    W
    • weiting lau
    • Author
    • New Participant
    • March 11, 2025
    add the workers ARN to a role that is trusted to assume the role of your secondary account to have the right permissions.

    just to clarify this part, as my worker is reside in cloud which has an instance role attached. this worker arn (instance role) need to add to another iam role which allows to assume the role of my secondary account ?

    O
    • Oliver Hoppe
    • Employee
    • March 11, 2025

    you need to allow that instance role to assume the role of the service policy you want to use

    O
    • Oliver Hoppe
    • Employee
    • March 11, 2025

    So the assume role sits in the account with the service you want to use.

    O
    • Oliver Hoppe
    • Employee
    • March 11, 2025
    425_25917be05e604ae9b52b41edfbefb2c6.png
    O
    • Oliver Hoppe
    • Employee
    • March 11, 2025

    The IAM Role of the trusting account needs to allow the IAM User ( or in your case Instance Role) to assume its role.

    B
    • baconesq
    • Employee
    • March 11, 2025

    The ARN of the role associated with your ec2 Instance Profile needs to appear in the Trust Policy of the role you are attempting to assume.

    W
    • weiting lau
    • Author
    • New Participant
    • March 11, 2025

    ermm the error still persist. My account A is having the instance role. Account B is having the assume role (called cribl-test). so I have allowed the instance role to be assume by the cribl-test role under trust policy in acct B. is there anything I miss ?

    S
    • Sirius Lange
    • Participating Frequently
    • March 11, 2025
    425_bbf8a76b387342e98f03084d1fca846d.png

    Hopefully this image helps, it's how my team have configured cross account access for cribl. Also make sure you've got the correct assume role options active:

    425_faf45a80ec3f41138422166d213d227b.png
    W
    • weiting lau
    • Author
    • New Participant
    • March 11, 2025

    I have set up accordingly to the advices. However, the same error still persist, "Failed to assumerole".

    The current existing setup

    Account A (roleA):

    • allow RoleB (sts:AssumeRole) in the trusted policy
    • allow RoleB (sts:AssumeRole) in the permission policy

    Account B (roleB)

    • allow RoleA (sts:AssumeRole) in the trusted policy
    • allow RoleA (s3:PUTObject, s3:ListAllBucket) in the pemission policy

    cribl edge Destination setup

    • enable the option for AssumeRole S3
    • input the RoleB arn

    Anywhere I can resolve this ?

    Terms & ConditionsAccessibility statement