A DevOps engineer is troubleshooting an application running on an EC2 instance. The application needs to access an Amazon RDS database using IAM database authentication. The EC2 instance is associated with an IAM role 'EC2-AppRole', and the RDS instance has a resource-based policy that allows 'DatabaseAccessRole' to connect. The engineer sees the error in the exhibit. What is the most likely cause?
Exhibit
Refer to the exhibit. Error log from an application instance: 2023-10-01T12:34:56Z ERROR Failed to assume role: AccessDenied User: arn:aws:sts::123456789012:assumed-role/EC2-AppRole/i-0a1b2c3d4e5f is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/DatabaseAccessRole
Trap 1: The RDS instance does not have a resource-based policy that grants…
B is wrong because the error is about assuming the role, not about the RDS policy.
Trap 2: The security group for the EC2 instance does not allow outbound…
D is wrong because the error is an IAM permission error, not a network connectivity error.
Trap 3: The EC2 instance does not have the correct IAM instance profile…
C is wrong because the log shows the instance role is assumed (the user ARN is from that role).
- A
The RDS instance does not have a resource-based policy that grants access to 'DatabaseAccessRole'.
Why wrong: B is wrong because the error is about assuming the role, not about the RDS policy.
- B
The security group for the EC2 instance does not allow outbound traffic to the RDS instance.
Why wrong: D is wrong because the error is an IAM permission error, not a network connectivity error.
- C
The EC2 instance does not have the correct IAM instance profile attached.
Why wrong: C is wrong because the log shows the instance role is assumed (the user ARN is from that role).
- D
The trust policy of the IAM role 'DatabaseAccessRole' does not allow the EC2 instance role 'EC2-AppRole' to assume it.
A is correct because the access denied error indicates the trust relationship is missing.