Spacelift run fails with: Error: Cannot assume IAM RoleThe plan exits with an AWS AccessDenied error when trying to assume the configured IAM Role.

Last updated: September 15, 2025

Cause

This happens when the IAM Role is being assumed twice:

Once by Spacelift (via the Stack’s IAM Role setting).
Again inside your Terraform/OpenTofu AWS provider block using role_arn.

The error might look like this:

Error: Cannot assume IAM Role

Error: operation error STS: AssumeRole, 
api error AccessDenied: User: arn:aws:sts::123456789012:assumed-role/example-role/session-name 
is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::123456789012:role/example-role

Fix

Remove the duplicate role_arn from your Terraform provider if Spacelift is already configured with the IAM Role.
Double-check the IAM Role’s trust policy and ensure sts:AssumeRole permissions are correctly granted.