AWS STS Assume Role - InvalidClientTokenId: The security token included in the request is invalid

Question

I am trying to assume an IAM role using aws-sdk as so...

var sts = new AWS.STS();
sts.assumeRole({
  RoleArn: 'arn:aws:iam::xxxxxx:root',
  RoleSessionName: 'awssdk'
}, function(err, data) {
  if (err) { // an error occurred
    console.log('Cannot assume role');
    console.log(err, err.stack);
  } 
  else { // successful response
    AWS.config.update({
      accessKeyId: data.Credentials.AccessKeyId,
      secretAccessKey: data.Credentials.SecretAccessKey,
      sessionToken: data.Credentials.SessionToken
    });
  }
});

But I keep getting...

InvalidClientTokenId: The security token included in the request is invalid

However, I can connect if I just use the following...

AWS.config.update({ accessKeyId: process.env.ID, secretAccessKey: process.env.SECRET });

Any reason why I cannot assume a role?

Answer 1

The following

RoleArn: 'arn:aws:iam::xxxxxx:root',

is not the IAM role. It seems you are trying to assume the IAM root user. The correct ARN of a role has form of

arn:aws:iam::account-id:role/role-name-with-path