In account A, I have a Cognito identity pool which has a role used for unauthenticated access. I want the unauthenticated role in account A to be able to assume another role in account B. I have setup the permissions and trust policy required by AWS documentation. However, I received this error message:

AccessDenied: User: arn:aws:sts::{account A}:assumed-role/{unauthenticated role name}/CognitoIdentityCredentials is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::{account B}:role/{assume role name}

After my investigation, I found that for additional security protection, Amazon Cognito applies a scope-down policy to credentials vended by GetCredentialForIdentity to prevent access to services other than the ones listed below for the unauthenticated users. In other words, this policy allows an identity using these credentials with access to only the following services:

Therefore, unauthenticated roles are limited in terms of the services they can interact with and I didn’t find STS in above list unfortunately. This is why I got that exception. I am being prevented from assuming a role which may be exceeding the scope of those defined in the access policy for the unauthenticated role.

If you need access to something other than these services for your unauthenticated users, you must use the basic authentication flow. If you are getting NotAuthorizedException and you have enabled access to the service in your unauthenticated role policy, this is likely the reason.