Copilot "unable to assume role" / credentials in CI
Copilot assumes the environment manager role to deploy into an environment account. When the CI principal cannot assume that role (no trust, wrong account, or missing credentials), the deploy fails before touching CloudFormation.
What this error means
copilot env deploy or svc deploy fails with "unable to assume role", "AccessDenied: ... not authorized to perform: sts:AssumeRole", or "NoCredentialProviders" / "failed to get credentials".
x assume role arn:aws:iam::123456789012:role/myapp-prod-EnvManagerRole:
AccessDenied: User: arn:aws:iam::123456789012:user/ci is not authorized to perform:
sts:AssumeRole on resource: ...EnvManagerRoleCommon causes
The CI principal cannot assume the env manager role
The environment manager role does not trust the CI principal, or the CI principal lacks sts:AssumeRole on it, so Copilot cannot enter the environment.
No credentials available to the CLI
The standard credential chain found nothing in CI, so even the initial STS call has no identity to use.
How to fix it
Allow the CI principal to assume the role
- Add the CI principal to the env manager role trust policy.
- Grant the CI principal sts:AssumeRole on that role ARN.
- Re-run the deploy.
{ "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:role/ci" },
"Action": "sts:AssumeRole" }Provide credentials in the job
Configure credentials (ideally OIDC) before invoking Copilot so the CLI has an identity to assume from.
- uses: aws-actions/configure-aws-credentials@v4
with:
role-to-assume: arn:aws:iam::123456789012:role/ci
aws-region: us-east-1How to prevent it
- Keep the env manager role trust policy in sync with CI principals.
- Use OIDC role assumption instead of static keys.
- Deploy to one account/region per job to avoid cross-account confusion.