# RabbitMQ on Amazon MQ: Invalid IAM Assume Role
<a name="troubleshooting-action-required-codes-invalid-assumerole"></a>

 RabbitMQ on Amazon MQ will raise an INVALID\$1ASSUMEROLE critical action required code when the IAM role ARN specified in `aws.arns.assume_role_arn` is invalid or cannot be assumed by Amazon MQ. This can occur when the role does not exist, is in a different Amazon account than the broker, or lacks the necessary trust relationship with mq.amazonaws.com. 

 A broker in RABBITMQ\$1INVALID\$1ASSUMEROLE quarantine cannot retrieve credentials or certificates required for LDAP authentication, rendering LDAP authentication unavailable. If LDAP is the only configured authentication method, users will be unable to connect to the broker. The IAM role is required by Amazon MQ to access Amazon resources referenced by ARNs in the broker configuration, such as Amazon Secrets Manager secrets or Amazon S3 objects used for LDAP authentication. 

## Diagnosing and addressing RABBITMQ\$1INVALID\$1ASSUMEROLE
<a name="w2aac40c29b7"></a>

 To diagnose and address the RABBITMQ\$1INVALID\$1ASSUMEROLE action required code, you must use Amazon CloudWatch Logs and the Amazon Identity and Access Management console. 

**To resolve the invalid assume role issue**

1. Navigate to Amazon CloudWatch Logs Insights and run the following query against your broker's log group `/aws/amazonmq/broker/<broker-id>/general`:

   ```
   fields @timestamp, @message
   | sort @timestamp desc
   | filter @message like /error.*aws_arn_config/
   | limit 10000
   ```

1. Look for error messages similar to:

   ```
   [error] <0.254.0> aws_arn_config: {handle_assume_role,{error,{assume_role_failed,"AWS service is unavailable"}}}
   ```

1. Check the IAM role configuration and fix any issues such as:
   + Ensure the role exists in the same Amazon account as the broker
   + Verify the trust policy allows mq.amazonaws.com to assume the role
   + Confirm the role has appropriate permissions to access the required Amazon resources

1. Validate the fix using the [ARN access validation](arn-support-rabbitmq-configuration.md#arn-support-validation) API endpoint before updating the broker configuration.

1. Update the broker configuration and reboot the broker.